Improving Web Application Security: Threats and - CGISecurity

522 Part IV: Securing Your Network, Host and ApplicationStep 7. PortsBy default, SQL Server listens on TCP port 1433 and uses UDP port 1434 for clientservernegotiation. Use a combination of firewalls and IPSec policies to restrict accessto these ports to minimize the avenues of attack open to an attacker.In this step, you:● Restrict access to the SQL server port.●●Configure named instances to listen on the same port.Configure the firewall to support DTC traffic (if necessary).Restrict Access to the SQL Server PortUse a perimeter firewall to prevent direct access from the Internet to the SQL Serverports — by default, TCP port 1433 and UDP port 1434. This does not protect yourserver against internal attacks. Configure IPSec policies to limit access, through TCPport 1433 and UDP port 1434, from Web or application servers that connect to thedatabase by design.For more information, see “How To: Use IPSec” in the “How To” section of thisguide.Configure Named Instances to Listen on the Same PortBy default, named instances of SQL Server dynamically allocate a port number anduse UDP negotiation with the client to allow the client to locate the named instance.To avoid opening a range of port numbers on the internal firewall or having to createmultiple IPSec policies, use the Server Network Utility to configure the instance tolisten on a specific port number.If you reconfigure the port number on the server, you must also reconfigure anyclients to make sure they connect to the correct port number. You might be able to usethe Client Network Utility, but this utility should not be installed on a Web server.Instead, applications can specify the port number in their connection strings byappending the port number to either the Server or Data Source attributes as shown inthe following code."Server=YourServer|YourServerIPAddress,PortNumber"