HiveBrain v1.2.0
Get Started
← Back to all entries
snippetsqlMinor

How can I create a Windows Firewall rule to allow only one IP address to connect MS SQL 2017 Express database in Windows 2016 server?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
canexpressaddressconnectcreaterulesqldatabasefirewallallow

Problem

I use MS SQL 2017 Express database in Windows 2016 server, now my MS SQL 2017 express server is being attacked.

I hope to set a Windows Firewall rule to allow only one IP address (such as 45.23.56.12) to connect MS SQL 2017 Express database, how can I do ?

Solution

Seems follow-up question of this. However, following are the recommended actions in your case which could be quick release from the cause:

  • Define static custom port (other than 1433) for the SQL server service



  • Service restart required here, and the custom port number must be explicitly mentioned in connection string of application. i.e. (DataSource = DatabaseServerIP,PortNumber)



  • Create new login with sysadmin permissions



  • Disable the login sa



Also, consider applying security benchmark recommendations particularly the sections Surface Area Reduction and Authentication and Authorization.

Most importantly, do not let the database server expose to public network. Usually, the app server only exposing to public.


Firewall rule to allow only one IP address (such as 45.23.56.12)

Start Windows firewall (you can use wf.msc from run command), select entry that related to SQL server from the In-bond Rules list (if not existed create new rule)

To Allow specific IP

Right click rule → Properties → Scope → from "Remote IP Address" section select These IP Addresses option and Add desired IP Addresses that only needs to be connect SQL Server

To change port numbers

Right click rule → Properties → Protocols and Ports → Enter the custom port (that SQL service listening on - configured in above steps) at Local port section.

Context

StackExchange Database Administrators Q#256155, answer score: 5

Revisions (0)

No revisions yet.