This question got rejected from the SQL Server group, but i'll try here
as it relates to (network)security:

I moving an old SQL Server-backend-IIS5/ASP-fronte*nd application to
servers with windows 2003 standard edition. One server will run the
database the other will run IIS 6.0. Note that i haven't set-up a
domain, which i think requires one machine to be domain controller
which would decrease performance and stuff. I've simply put them on the
same group.

I wan't to restrict access to the sql server so only the incomming
connection from the webserver is allowed. I can use either named
pipes(which should be the fastest protocol) or tcp(which should be
slight slower than named pipes) but I seem to have a problem. If I use
named pipes to connect, the IUSR(the user under which IIS is running)
must have access-rights to IPC$ share on the sql server. I can't seem
to set any access-right directly for IPC$ share, but I can reactivate
my guest user and then it works, but then everyone can now access the
ipc$ share so it's not really what i'm looking for.


I can also connect through TCP( and set up some kind of filter only
allowing incomming connections on port 1433 from the ip of the web
server. But i don't know how to do this. I've taken a look at the IPSec
stuff but it's all about kerberos authentication and other bull which i
don't think i need.

What i need is a simply ip port filter, which does
nothing else but reject incomming connections to sql server on port
1433 originating from any other ip's than my webserver.


My question is how do I do this? Do i need to have a additional
"firewall" service running and, if so, how much extra overhead will
this create for the sql server.

Alternately, is it possible to change the access right for the IPC$
share manually?

Thanks in advance for any input you might have on this?