Why do you not want IIS on the same box? Why do you not want client for MS installed, etc.?
I am trying to get up to speed on server security and any way you can point me in the right direction would be appreciated.
First, let me thank you for reading my security article, and for considering taking the necessary steps, to reduce the security risks with your database server -- it appears you have identified your first security weak link, and are prepared to address this issue with your networking department.
As for ?how can I go about figuring out the why's?? you want to make sure that you first have a thorough understanding of the application and database requirements in your organization. In other words, ask your key people the following questions with respect to IIS and client for MS: Is IIS required on your database server to handle a specific functionality? (I'd be concerned if you found that IIS is configured; if it is not configured, then someone may have inadvertently installed it and didn't understand the application requirements at the time.) Is client for MS required? This is installed by default and is used to allow your database server to browse your network; if it is not required, I would remove it.
The reason why you don't want IIS on the same box is for the obvious inherent security issues that exist with port 80; for example, why set up your database server to propagate the automation of a WORM on your network from other IIS servers inside your firewall? It's also possible that whoever set up IIS on your database server is also running FTP service, by default. I understand that your database server is behind a production or corporate firewall, but it doesn't justify running unnecessary services.
Once you have identified that IIS is not required, I would suggest that you plan and schedule a time after-hours to test your database server without WWW and IISADMIN services running, to see if your application will continue working. You may want to set the above services to manual and reboot your database server, before you determine the services are not necessary. As for MSDTC and other services, I suggest you carefully do your homework and stage stopping the services (one at a time), until you've achieved running only the required services on your database server.
It looks like you are thinking about taking the initiative, to secure that database server. I would schedule a meeting with the key people in your organization, to explore (and stage) the existing configuration of your server. Remember to make (and test) a full backup of your server before making modifications.
You'd be surprised by what you and others will learn when you go beyond the surface level of your server configuration.
This was first published in October 2002