Re: How BAD is SQL on ISA?
- From: "William Robertson" <william.robertson@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 Jan 2003 09:02:55 +0200
Ok everybody, I think I get the picture. The bottom line is that I
shouldn't consider compromising my ISA Configuration by installing SQL
Server.
On the other hand, I am still not entirely convinced that I want to get
ISA Server to log directly to a different server, because if anything
happens on the network or that other server, then my ISA server won't be
able to log and thus all Internet Surfing will be compromised, if not
disabled.
In light of this, I propose the following, leave ISA Server to log to
flat files, and then every morning I run a batch script to "archive" the
previous days logs into a SQL Server database on a different server. As
far as I can tell this is possibly my best approach, except for the fact
that the importing data from the logfiles into SQL could become quite
hairy.
I see that Jim Harrison has a script on his website that will apparently
do just this, but it is unfortunately only for the WEB Proxy logs, so I
was wondering if anybody out there actually has some .vbs & .sql scripts
that will cater for all 3 logfiles?
Cheers
William R.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 14 January 2003 20:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How BAD is SQL on ISA?
http://www.ISAserver.org
Hi Jim, et. al.,
SQL logging puts a considerable performance hit on the server, and if
you're hosting the database on the ISA Server itself, you may hit the
glass ceiling :-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
http://tinyurl.com/1jq1
http://tinyurl.com/1llp
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, January 14, 2003 11:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How BAD is SQL on ISA?
http://www.ISAserver.org
Generally speaking, stick to your "least privileges" concept; you can't
go
wrong there.
Perf, vulnerabilities and user rights become harder to control when you
have
multiple users accessing your firewall; even if only for SQL usage.
If $$ pushes you into that train track of thought, then make sure you:
1. set a strong password for the "sa" account and control database
access
permissions with an iron fist
2. don't provide direct access to the SQL admin account from outside (no
direct SQL calls); no PF for SQL access!
3. remove any master-db SP and XP that you don't need for normal SQL
operations; many vulnerabilities have been found therein.
4. No one, but NO ONE except the server admin gets administrative access
to
the SQL services!
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 14, 2003 02:11
Subject: [isalist] How BAD is SQL on ISA?
http://www.ISAserver.org
Hi there
I live in a principle of least privileges and so I do not install
anything
on my ISA Server which is not absolutely CRUCIAL to the survival of my
Firewalling Strategy.
However, I have been considering the option to start logging all ISA
requests to a SQL Database as opposed to flat files which is currently
the
default logging method.
If I was to do this then I would like to keep the ISA Firewall
independant
of any other server and as a result I would need to install SQL Server
onto my ISA Firewall.
What I would like to know is this:
1) Is it at all a good idea to install a product such as SQL Server onto
my ISA Firewall?
2) How robust is ISA when it comes to logging to a SQL Database as
opposed
to the flat files?
3) How will it impact any Server Publishing rules that I have already
created on port 1433 (SQL Server)?
Cheers
William R.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
