Microsoft Security Paradigmes are Irritating. I sure they're fine once
you know what they are, but for the uninitiated it's quite
counterintuitiv e to work with.
I moving an old SQL Server-backend-IIS5/ASP-frontend application to
servers with windows 2003 standard edition. One server will run the
database the other will run IIS 6.0. Note that i haven't set-up a
domain, which i think requires one machine to be domain controller
which would decrease performance and stuff. I've simply put them on the
same group.
I wan't to restrict access the sql server so only the incomming
connection from the webserver is allowed. I can use either named
pipes(which should be the fastest protocol) or tcpwhich should be
slight slower than named pipes) but i seem to have a problem. If I use
named pipes to connect the IUSR(the user under which IIS is running)
must have access-rights to IPC$ share on the sql server. I can't seem
to set any access-right directly for IPC$ share, but i can reactivate
my guest user and then it works, everyone can now access the ipc$ share
so it's not really what i'm looking for.
I can also connect through TCP( and set up some kind of filter only
allowing incomming connections on port 1433 from the ip of the web
server.
But i don't know how to do this. I've taken a look at the IPSec stuff
but it's all about kerberos authentication and other bull which i don't
think i need. What i need is simply a ip traffick filter, which does
nothing else but reject incomming connection from all other ip's than
my webserver.
My question is how do I do this? Do i need to have a addtitíon
"firewall" service running and if so why, how much extra overhead will
this create for the server. Alternately, is it possible to change the
access right for the IPC$ share manually?
Thanks in advance for any input you might have on this?
Regs Jens
