Azure SQL DB-Securing communication on Port 1433 - sql

I am using Azure SQL Server DB and need to connect to it through my local development environment since we do not have local Db setup. I am using Entity Framework and standard connection string to connect over port 1433. This requires port 1433 opened in organizations firewall.
However, the security group in my workplace wants me to ensure that this communication is secured, to protest data exposure, so that they can open the port 1433 for my work.
How do i ensure that? If this is secured by default, then some link that explains it. If not, the steps I can take to make it happen.
Or point me to a question where this is resolved. Thanks a ton!!!

From https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-overview:
Important
All connections to Azure SQL Database require encryption (SSL/TLS) at all times while data is "in transit" to and from the database. In your application's connection string, you must specify parameters to encrypt the connection and not to trust the server certificate (this is done for you if you copy your connection string out of the Azure Classic Portal), otherwise the connection will not verify the identity of the server and will be susceptible to "man-in-the-middle" attacks. For the ADO.NET driver, for instance, these connection string parameters are Encrypt=True and TrustServerCertificate=False.

Related

How can I identify what is blocking port 1433?

I like to consider myself a fairly smart individual with the superb ability to "Google" things. However, I am running into an issue that is driving me insane.
I am trying to connect to a Microsoft Azure SQL Server from my Alienware Laptop running Windows 10, over 5Ghz WiFi. It seems that something is blocking port 1433 (according to many Google results). Unfortunately, I have opened this port on my Nighthawk router, through Windows' Firewall (wf.msc) via inbound rule, and finally I have enabled port 1433 in Bitdefender for all applications. I still cannot connect to the SQL instance through SSMS (even tried DBeaver). I am getting TCP rejection messages "forcibly closed by remote host"
Here is the kicker. I can access my database on the same device through a vb.net application (though I believe this is a different port). The bottom line is, I know the credentials, I am the admin, but I cannot get port 1433 truly open.
What other steps can I try to remedy this situation? Any and all help will be appropriately credited.
You should open the port 1433 for outbound traffic from your local network instead of the inbound, also make sure you have added your client public IP address in your Azure SQL server firewall via the Azure Portal.
The full troubleshooting steps as below:
Ensure you have the appropriate ports open outbound from your local network or connection (typically port 1433)
Create a server-level firewall rule for your SQL database using the Azure portal.
Ensure you are using the correct server name and username for SSMS, the server name should be something like this: mynewserver20170313.database.windows.net.
Ensure you are using SQL Server Authentication
For SSMS the username format is username#servername
Ref: Use SQL Server Management Studio to connect and query data

Accessing SQL server DB of my local server over internet

My client is using my SQL Sever application, sever installed on one of his local computers, dbs are being accessed using
connectionString="Data Source=Office1-MAIN-PC\EziBilling;Initial Catalog=dbBilling;User ID=sa"
By now everything is fine, now he demands to access the databases attached to local server, through internet too.
I am planning to create a client application that could connect to the server instance over internet. BUT I do not know what connection string I should use.
Also, how can I get the IP address of the server (do not have static IP)?
Thanks
1433 is the port, in this example.
The port must be free on the firewall, and you need to enable port forwarding (TCP) in the router, and SQL server must allow remote connections (and be enabled for the TCP protocol)
Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;
Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;

SQL Azure deployment security concerns

We are developing an application that uses a Windows Azure cloud service, and a SQL Azure database. We have an ASP .NET MVC project that uses database-first to create the entities in our Visual Studio solution. Now we need to deploy the database schema to Azure.
Currently this is not possible because our network blocks outbound access on port 1433, which is the only port SQL Azure is available on. We have asked our security team for permission to open port 1433 outbound, but they have some concerns:
There is unencrypted database traffic (port 1433) allowed at Microsoft's firewall over the internet for Azure. Although there is no sensitive information in the database, management credentials are probably in clear text if database credentials are not encrypted and can lead to defacement risks.
What network ports are opened at the internet firewall for access to the system hosting the website and database?
I believe the concern in the first question is that credentials for managing the Azure DB will be sent over on port 1433 unencrypted during deployment. For the second one, I think the answer is that we can configure endpoints to open whatever ports we want for our cloud service, but they are closed by default.
I did some research, but was unable to find any definitive answers on these questions from Microsoft, which makes me think we are asking the wrong questions. I would be interested in insight from anyone with more experience in this than I have.
SQL Azure only accepts encrypted (SSL) communication per the Security Guidelines and Limitations (Windows Azure SQL Database) article here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx
Encryption and Certificate Validation All communications between
Windows Azure SQL Database and your application require encryption
(SSL) at all times. If your client application does not validate
certificates upon connection, your connection to Windows Azure SQL
Database is susceptible to "man in the middle" attacks. To validate
certificates with application code or tools, explicitly request an
encrypted connection and do not trust the server certificates. If your
application code or tools do not request an encrypted connection, they
will still receive encrypted connections. However, they may not
validate the server certificates and thus will be susceptible to "man
in the middle" attacks. To validate certificates with ADO.NET
application code, set Encrypt=True and TrustServerCertificate=False in
the database connection string. For more information, see How to:
Connect to Windows Azure SQL Database Using ADO.NET. SQL Server
Management Studio also supports certificate validation. In the Connect
to Server dialog box, click Encrypt connection on the Connection
Properties tab. SQL Server Management Studio does not support Windows
Azure SQL Database in versions prior to SQL Server 2008 R2.
SQL Azure uses 1433 and 8443. The port requirements for Azure are available here: http://msdn.microsoft.com/en-us/library/windowsazure/jj136814.aspx
If you want to limit firewall traffic to and from specific IP addresses, the Azure datacenter IP ranges are available here: http://msdn.microsoft.com/en-us/library/windowsazure/dn175718.aspx
Some options (in addition to DarrelNorton's answer):
- you can use a dedicated SQL Server VM, then you can use port forwarding and the port issue is not a problem and you have additional firewall options and additional security software you can instal
- dedicated SQL VM allows you to take advantage of TDE (Trans. Data Encryption) in SQL Server or you can do more advanced encryption techniques that are not available in SQL Azure DB
- Dedicated SQL VM you are isolated from other MSFT clients. If you get hacked, you can re provision the VM from scripts
- you can use a Virtual Network connection between the MSFT data center and your local network if you are concerned about security (the VPN is encrypted)

Cannot connect to Azure SQL database, even with whitelisted IP

I am currently unable to connect to my Azure SQL database from a separate remote standalone dedicated box in a private datacenter.
I have an Azure SQL database where I manage the list of IP addresses that can connect to this database. This has worked perfectly until now. I have recently set-up a new dedicated box in a private datacenter that needs to query the Azure SQL database at regular 5 second intervals, give or take.
The problem is, this dedicated box cannot establish a connection to the Azure SQL database, despite being able to connect to other remote FTP servers, MySQL servers, etc. The Azure SQL database does have the IP address of the dedicated box on the allowed connection list. Furthermore, I temporarily opened up a massive range of allowed IP addresses (0.0.0.0 -> 255.255.255.255) on the Azure SQL database to see whether this inability to connect may have resulted from IP blocking.
Does anyone have any suggestions or thoughts on what might be causing this and how I could begin debugging the situation better?
To clarify: I can connect to the Azure SQL database from laptops with individual IP addresses in my office and elsewhere, so long as they have been added to the database whitelist; I can make outward connections to remote FTP and MySQL servers from the dedicated box; I have tried to open-up a massive range of allowed IP addresses on Azure SQL with no luck.
Edit
C:\Users\graphite.rack.ID17157>osql -S v7o06blktw.database.windows.net -U XXXXXXX#v7o06blktw -P XXXXXXX
[SQL Server Native Client 11.0] Named Pipes Provider: Could not open a
connection to SQL Server [53].
[SQL Server Native Client 11.0] Login timeout expired
[SQL Server Native Client 11.0] A network-related or instance-specific error
has occurred while establishing a connection to SQL Server. Server is not
found or not accessible. Check if instance name is correct and if SQL Server
is configured to allow remote connections. For more information see SQL Server
Books Online.
To summarize.
Windows Azure SQL Database (formerly known as SQL Azure) works exclusively and only on TCP port 1433. It only support SQL Server Authentication, TCP connection and TDS protocol as of today.
In order to successfully establish connection to SQL Azure one must fulfil the following requirements:
Create SQL Azure server & Database
Setup SQL Azure Server's firewall rules to accept connections from the IP address of application that will connect to that server
Make sure the box (be it Virtual, or home, or whatever) has no blocking outbound TCP port 1433
Explicitly force encryption in connection string
Explicitly chose to not trust server certificate in connection string
Please note that many (if not all) ISPs (Internet Service Providers) and Hosters, as well as IT staff within companies DO block outgoing TCP Port 1433 due to the SQL Slammer worm. This outgoing port blocking appears to be one of the most faced issues of newcommers to SQL Azure.
UPDATE Nov. 2015
As of August 2015, there is preview feature that enables you to use Azure AD to authenticate to Azure SQL Database. You can read more on this new preview feature here: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
If you're using corporate network for internet access and facing this problem,
a simple way around this is to use your phone's mobile hotspot for internet access instead.
Be sure to disable your ethernet connection too, which may also be connected to the internet.
Spent hours on this issue. The fix for me was finally found to be my setting on the Xfinity firewall. I had it set to high. Once I changed the setting to low security, I could connect to the Azure sql database with no issues.

SQL express deployment on multiuser?

I am developing a application for a small user group and decided to use sql express.
So the design as normal is sql express will be hosted in one machine(as server machine) and users client app will connect to sql-express host machine for accessing db.
Now the problem is remote clients are not able to connect the db, but host machine can access the db. Can someone please help if you have tried this before ??
Connection string used is as below, do we need to change the connection string ?
Data Source=Hostname\SQLExpress;Integrated Security=true; AttachDbFilename=|DataDirectory|\mydb.mdf;User Instance=true;
Note: Users are not domain connected they are LAN connected.
The database service is probably not setup to listen on TCP port 1433 by default for security reasons. You need to use the configuration utility to enable remote access. You also need to make sure that port is not being blocked by a firewall. These instructions for SQL Server 2005 are useful.
If the users are not running under a domain account I believe you will have issues with authentication. You may want to add them to a domain, or enable SQL Server (password) authentication. After enabling this you can specify a username and password via the connection string. You need to make sure that the user exists and has access to the appropriate tables, views, or stored procedures.
By default, SQL Server does not permit remote connections. You need to change this via the Server Configuration Manager in the Start Menu.