Re: Created on Access 2003, but.......................

Bri <not@xxxxxxxx> wrote in z18bg.173771$7a.47737@pd7tw1no:">news:z18bg.173771$7a.47737@pd7tw1no:

David W. Fenton wrote:

It's as secure as you can be with database ports open to the
Internet, yes.

But that's not secure under any scenario, as any port scanner
could hit an open port and do its thing. The fact that it's a
non-predictable port is no protection, since that's just
"security by obscurity."

Well, you still need a userid, password and database name. No
"security by obscurity" that I see. Knowing the server and port is
only part of the equation.

You're assuming the server remains in a secured configuration. As we
well remember with SQL Server, there were lots of scenarios that
would result in the clearing of the sa password, and open up a
server that was thought to be secure to exploits.

. . . They host
thousands of these databases and thousands of the other types
(Jet and SQL Server). In fact you can signup for their free
account and get ASP and Access(Jet) support. I've been using them
for 6 years without any problems. BTW, the Access(Jet) connection
is via the ASP variable Server.MapPath(pathToDatabase) so there
seems to be no external connections there. The documentation on
the SQL Server points to a server just like MySQL.

I would not want to be an ISP offering this kind of service. It's
way too dangerous to have any but the bare minimum of ports open
to the Internet.

This kind of thing should only be done over a secure tunnel of
some sort, VPN, or, where passible, SSH.

Yes, I agree this would be even better as it would also encrypt
the data packets. But for most situations it is likely secure
enough.

Until it's not, of course.

. . . Contrary to
popular belief, most people's data is of no interest to anyone
else. If I was using this to process creditcards or identity data
I would be more worried, and more likely to setup the TS solution.

It's not a matter of the value of the data, a threat of theft. It's
a matter of loss of data, corruption of data or disruption of
availability due to an exploit. Secondly, an open database port
could be a vector for exploits not limited to the database server
itself that could bring down or compromise the server as a whole, or
other machines inside the network the server is on.

I think the fact that it's so very unusual for ISPs to provide
database connectivity over the open Internet should tell you what
you need to know about whether or not this is a safe configuration.
If it were safe and secure surely lots of ISPs would be offering the
service, no?

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/
.

Relevant Pages

  • Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking?
    ... File servers aren't secure? ... Access predates Windows security, ... database system has never been updated or kept current. ... the OS-based database server product, ...
    (microsoft.public.access.security)
  • Re: SQL2005: Cannot connect error 11001
    ... user mapped to one database. ... Does the issue has to do with the login account / user ... Server connection. ... if you changed the port ...
    (microsoft.public.sqlserver.connect)
  • Re: 553 sorry, relaying denied from your location
    ... connection on port 465. ... Newly created server is on port 465, ... iterations of secure, always secure, 128 bit encryption, etc. ... that doesn't appear to be an Exchange response. ...
    (microsoft.public.exchange.setup)
  • DB Fault Tolerance - network connections
    ... a Perl server which talks to a PostgreSQL database on a different phys. ... block the port on the DB server, ... Note that I'm using iptables on the box that is running the Postgresql ...
    (perl.dbi.users)
  • RE: Lotus Notes - Is this a bad thing?
    ... > Make sure you have your firewall set up right... ... Remember that something secure today may not be tomorrow so, ... Try cutting UDP access to the server completely, ... Make sure port encryption is enabled on the servers ...
    (Security-Basics)