Monday, March 26, 2012

Named Pipe and Clustering

Hi,
I need to disable named pipes in a SQL Cluster environment (Windows 2000 and
SQL 2000 latest SP). Here is the scenario:
Our security policy requires me to secure my production SQL Server (Virtual
SQL Cluster name=SQL01) by disabling any access to SQL Server except access
from application server. I implemented this security in UAT (Non clustered )
by creating an IPSEC filter and disabling Named Pipes on SQL Server. In one
IPSEC filter, All IP Traffic to port 1433 is blocked. In another filter,
traffic from application server IP Address is permitted. This configuration
worked fine in UAT.
When I promoted the same IPSEC policy to production (both nodes
active-passive), I noticed that I can't disable Named Pipes in cluster
environment. Is there any work around this?
Can I change default pipe for Named Pipe in order to block SQL connections
coming from default pipe?
Do you have any better suggestion to secure SQL Server?
ThanksThis was an update in sp3 that was not well documented. After installing
sp3, you can't remove Named Pipes on a Cluster. If Named Pipes was
previously removed (prior to sp3) , then it will not add it back.
We experienced numerous customer problems where the server would not come
online, and it was only listening on tcp. Here's the full reference in the
kb.
831127 Named Pipes Support Cannot Be Removed on a Virtual Server That Is
http://support.microsoft.com/?id=831127
My recommendation would be to use ISA server and publish the SQL Server.
This will allow you to only publish the TCP netlib.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.

No comments:

Post a Comment