Is it risky to have a database server and a web server on the same machine?
It seems like life would be simple to run the database server on the same machine as the web server, but are we taking a big secuirty risk by doing this?
The environment will be Windows 2008 server, Postgresql (latest version, possibly 9.0 when it comes out) and Apache 2.
Solution 1:
Not necessarily.
Assuming your web server gets compromised the attacker will still gain the credential to access the same databases, no matter what server they run on. After all, the database server will still need to be configured to allow legitimate request from the web server.
(Assuming sensible security measures such at mysqld not accepting password-less root login from localhost.)
That being said, you might still want to run a separate database server. The reason for that being related to performance, scalability, etc.
Solution 2:
I disagree with the posters stating that this isn't a security concern, and here's why:
- Your front-facing service should have the smallest attack surface possible. This is the primary reason for using reverse proxies and firewalls, and for keeping unnecessary services and programs away from servers that don't require them to operate. This is why web servers are the most common targets for security hardening passes.
- Your web server should not have god rights to your database system. Therefore compromising the web server does not compromise the database server, as well. For starters, the account the web server uses to access the database shouldn't have local administrative rights to the SQL box, its rights should be confined purely to database permissions. Second, within those SQL permissions it should be operating under the principle of least privilege. Your web box shouldn't be able to instantiate new databases within the instance, for example. Ideally, your web box won't have the ability to drop tables, or delete rows from any tables that it doesn't absolutely have to. So in the event of a compromise in a properly configured 2-tier setup, the impact of an attacker using the SQL credentials is limited in scope.