![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
ok guys, I'll give a brief rundown on what we've got.
I'm the monkey/IT guy for my company. we've got one server running SBS 2003 and SQL server. we have a custom app that lets us manipulate our SQL database. our developer has hard-wired the SQL logins into that application. the app is mostly used on-site for local clients within our domain. however, the app can and has been used remotely, as long as port 1433 is open on the router. i know that may not be all that secure, but that's how it was written.
red flags? yes.
our topology is as follows...static IP business class, cisco UBR900 cable modem/router, old linksys befw11s4 candy-a$$ wireless router. wireless is disabled. one SBS 2003 server, a bunch of XP pro clients all in one domain.
only recently did we discover that a bot somewhere has been doing a brute-force password attack on standard SQL account names on SQL server via 1433. It's actually coming from St. Louis MO. I thinkwe've since closed that port. however, very soon we will have a lot of work and people will need remote access to run our app. we COULD run it on the server, but SBS2003 only comes with 2 TS liscences. however, our dual- AthlonMP 1.7s already make the server a little slow with 2 active TS connectinos. so that option is out.
we could build a few client machines, headless boxes with XP pro on them that people could TS into and run the app that way. however, our office is very small, and short of a rack of 1U boxes, it's not feasible. and new hardware costs money. and money is tight.
we have off-site workers that will need to use the app one way or another. unless we totally re-vamp our app, which I don't see happening, that means re-opening 1433 on the router. I'll be the first to admit i know next to nothing about the complex workings of firewalls. i talked with our developer about some options, VPN...firewalls. stateful packet filtering...would likely block attacks, but might have problems in that our people working remotely are most likely on residential DSL or cable connections with dynamic IPs...so we can't designate those as trusted in the firewall. was looking at the older watchguard SOHO firewalls...you know the redbox that came with 10 user lisc...considering that...but A) not sure if it will do everything we need, and B) have more than 10 machines locally...so that's more money for liscences.
I know next to nothing about VPN's...but from talking to our developer and a friend at MS, I think that's the way to go. somehow got to get some authentication going. however, I know next to nothing about setting one up.
any opinions/advice on this situation would be greatly appreciated.
Thanks,
Posten
I'm the monkey/IT guy for my company. we've got one server running SBS 2003 and SQL server. we have a custom app that lets us manipulate our SQL database. our developer has hard-wired the SQL logins into that application. the app is mostly used on-site for local clients within our domain. however, the app can and has been used remotely, as long as port 1433 is open on the router. i know that may not be all that secure, but that's how it was written.
red flags? yes.
our topology is as follows...static IP business class, cisco UBR900 cable modem/router, old linksys befw11s4 candy-a$$ wireless router. wireless is disabled. one SBS 2003 server, a bunch of XP pro clients all in one domain.
only recently did we discover that a bot somewhere has been doing a brute-force password attack on standard SQL account names on SQL server via 1433. It's actually coming from St. Louis MO. I thinkwe've since closed that port. however, very soon we will have a lot of work and people will need remote access to run our app. we COULD run it on the server, but SBS2003 only comes with 2 TS liscences. however, our dual- AthlonMP 1.7s already make the server a little slow with 2 active TS connectinos. so that option is out.
we could build a few client machines, headless boxes with XP pro on them that people could TS into and run the app that way. however, our office is very small, and short of a rack of 1U boxes, it's not feasible. and new hardware costs money. and money is tight.
we have off-site workers that will need to use the app one way or another. unless we totally re-vamp our app, which I don't see happening, that means re-opening 1433 on the router. I'll be the first to admit i know next to nothing about the complex workings of firewalls. i talked with our developer about some options, VPN...firewalls. stateful packet filtering...would likely block attacks, but might have problems in that our people working remotely are most likely on residential DSL or cable connections with dynamic IPs...so we can't designate those as trusted in the firewall. was looking at the older watchguard SOHO firewalls...you know the redbox that came with 10 user lisc...considering that...but A) not sure if it will do everything we need, and B) have more than 10 machines locally...so that's more money for liscences.
I know next to nothing about VPN's...but from talking to our developer and a friend at MS, I think that's the way to go. somehow got to get some authentication going. however, I know next to nothing about setting one up.
any opinions/advice on this situation would be greatly appreciated.
Thanks,
Posten
