I am looking to setup a website and database that are connected via the internet, and am looking to secure the connection. The connection will probably not be over a VPN, so shall be openly exposed.
From the research I have done, I see that you can use SSL and IPSec. The user I am setting up will only have public, db_datareader and db_datawriter roles. The password will be set to expire every set period of time.
Is there anything else I should be aware of to ensure a secure connection from my website to database?
Best Answer
You DB should probably not be publicly accessible, unless it really has to be. You can make DB accessible only to localhost, which would allow your web server to talk to it and you can use it over SSH or Remote Desktop or what have you.
You'll want to watch out for brute-force attempts on your logins. I'm not sure what the Windows equivalent of Fail2Ban is, but you'll want something like that.
Shut off any unneeded db services, see what ports are open, use a firewall to block any ports other than the ones you definitely need.
Have your access logs recorded to another computer with a write-only connection, so that if someone does break in, you still have logs.