SQL2K & IIS5.0 on the same box - best practice

[james]

I would like to know if there any issues, from best practice/security
perspective, to place SQL2K & IIS5.0 on the same box. The box will host a
small application to be used by intranet users only - no access to internet.
Thanks

 

[Ray]

I was tasked with something like this a several months back. I hardened
the server as if were just a standard Web server (minimize services,
restrict NTFS, remove unnececssary applications & update patches). I
installed IIS 5 (scripted to change the physical location), ran the IIS
Lockdown utility and installed URLScan 2.5 (customized the URLScan.ini for
our environment). I had a SQL DBA perform a lean install of SQL and the
tweaks their department uses. After the application owner tested and
verified it functioned properly I used IPSec to block UDP & TCP traffic to
1433 & 1434.
It wasn't my choice to put both applications (IIS & SQL) on the same
system, but then again they weren't asking me. At least this was better
than a default install.
Hope it helps.