iCompaas Support

Profile Applicability: 

Level 2

Description

TCP ports 1433 and 1434 are used for Microsoft SQL Server database communications. Allowing unrestricted inbound access to these ports (0.0.0.0/0 for IPv4 or ::/0 for IPv6) exposes SQL Server databases to potential unauthorized access, brute-force attacks, and exploitation. To secure SQL Server instances, ingress to these ports should be restricted to trusted IP ranges only.

Rationale

• Enhanced Security: Limits exposure of SQL Server databases to unauthorized access attempts.

• Risk Mitigation: Reduces vulnerability to brute-force attacks and exploits targeting SQL Server.

• Compliance: Aligns with best practices for database security and regulatory standards.

Impact

Pros:

• Protects sensitive database data from unauthorized access.

• Reduces the attack surface for malicious activities.

• Enhances overall security posture and ensures adherence to compliance requirements.

Cons:

• May require additional configuration, such as VPN or bastion host for secure database management.

• Could temporarily disrupt access for users without proper configuration.

Default Value

By default, security groups may allow unrestricted access to ports 1433 and 1434 if improperly configured.

Pre-Requisite

IAM Permissions:

• ec2:DescribeSecurityGroups

• ec2:RevokeSecurityGroupIngress

• AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 Dashboard.        

3. Go to the Security Groups tab.

4. Identify security groups allowing ingress to ports 1433 or 1434 from 0.0.0.0/0 or ::/0.

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:
aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`1433` || FromPort==`1434` && (contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0'))]"

Implementation Steps: 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 Dashboard.

3. Go to the Security Groups tab.

4. Identify security groups with rules allowing ingress to ports 1433 or 1434.

5. Edit the security groups:

   • Remove the rules allowing ingress from 0.0.0.0/0 or ::/0.

   • Restrict access to trusted IP ranges, or remove the rule entirely if SQL Server access is not required.

6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1434 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr ::/0

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1434 --cidr ::/0

Add Secure Rules for Specific IP Ranges (if access is necessary):

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr <trusted-cidr>

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1434 --cidr <trusted-cidr>

Backout Plan:
Using AWS Console:

1. Re-add specific ingress rules as needed for trusted IP ranges.

2. Monitor and document the access for compliance and security purposes.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr <specific-cidr>

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1434 --cidr <specific-cidr>

References

• AWS Security Best Practices for EC2

• Microsoft SQL Server Security Documentation

• AWS CLI - Security Group Rules

CIS Controls