Home/ Questions/Q 616349
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T18:19:04+00:00

An auditor reviewing our system was suggesting that our data should be stored on

  • 0

An auditor reviewing our system was suggesting that our data should be stored on a separate physical server from the web server. We’re running SQL 2008 on a Windows 2003 machine with IIS as the web server running ASP.NET 3.5 applications.

I can’t think of any significant reason that there would more security by having SQL on a separate box. The website still accesses SQL so there’s no reduction of SQL injection possibility (we protect against that of course), and we would use RPD to admin the SQL machine just like the web server.

Can anyone with more security knowledge give some insight as to why it would be better, or if in fact it’s not any more secure?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A box that is only running SQL Server can:

    • Have anything extraneous to the dbms removed. Since IIS is an obvious entry point into the overall system, by not having IIS on the same box, some possible problems are avoided. — I’m not referring to a sql-injection attack since obviously, they flow from the web server through to the dbms. I’m referring to unpatched IIS problems, poorly configured IIS accounts, etc.
    • Can also remove any OS-level logins, etc — OS level attacks
    • Can move the SQL server to a different network (eg behind a firewall)
    • Can apply more resources to monitoring the high value target. Eg tripwire type systems
    • Can apply better hw/sw (raid, more frequent backups) if the cost of the hw on the IIS machine/farm would be too great.

    ps. Even running as a separate virtual instance (but same hw) would be better than having everything on one OS instance.

    • 0