---
title: Inbound MSSQL access should be restricted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Inbound MSSQL access should be
  restricted
---

# Inbound MSSQL access should be restricted
 
## Description{% #description %}

Reduce the probability of a breach by checking [EC2 security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.

## Rationale{% #rationale %}

Malicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) docs to learn how to add a security group rule that will restrict access to a specific port.

### From the command line{% #from-the-command-line %}

1. Run `revoke-security-group-ingress` to [remove inbound rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html) that allow unrestricted access to port 1433.

In the `revoke-security-group-ingress.sh` file:

   ```bash
       aws ec2 revoke-security-group-ingress
           --group-name group-name
           --protocol tcp
           --port 1433
           --cidr 192.0.2.0/24
       
```

1. Run `authorize-security-group-ingress` to [add new inbound rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html) that restrict port 1433 access.

In the `revoke-security-group-ingress.sh` file:

   ```bash
       aws ec2 authorize-security-group-ingress
           --group-name your-group-name
           --protocol tcp
           --port 1433
           --cidr 192.0.2.0/24
       
```