Jun 05 2021 04:06 AM
I have a request to open TCP port 1433 on our firewall to allow a company to query a table on our SQL server as part of a service they have been contracted to provide. The SQL server is in our server vlan, not the DMZ.
I am told the company will have read-only access to the table, and that a unique username and password has been created for this company.
I am thinking we would open the port if we can lock down access to just this company's public IP address(es). Otherwise, no go.
I don't know anything about SQL server, sql injection, etc. Is the above approach sufficient to protect our SQL server? Am I correct in thinking that opening up TCP port 1433 to the public internet is a bad idea?
What other methods for granting the access needed by this company can I recommend to the project team?
Jun 15 2021 04:44 AM
Hi @garryholmberg --
Your intuition is correct in that opening 1433 to the internet from within your internal vlan is incurring risk. Have you considered replicating the database to a system in the DMZ and providing the read-only access to that copy of the database? Take care.