Restricting connections? Always :-).

That's one of the most universally true statements ever:

* Restricting connections to HTTP server port 80 and port 443 to a specific network is webadmin 101.

* Restricting connections to DNS server port 53 to a specific network is hostmaster 101.

And so on! Let's call this Mordac's Rule.

Not allowing the end users to access a DBMS at all, or only indirectly via a front-end application or web UI can be supported by the following arguments:

* Not providing a service is an excellent security idea. The disconnected computer is more "secure", and the powered off one is even more "secure".

* Providing a service via a front-end is much more "secure" than providing it via the base tool itself: because experience shows dramatically how much more "secure" PHP/... based application or web UI front-ends are than their DBMS back-ends.

* Regardless of the above points, insisting that all DBMS instance access be via front-ends and then only allowing those front-ends to connect to DBMS instances means delegating accountability for security issues to the front-end owners, and can be a career-security enhancing measure too for the DBMS owners, not merely enhancing overall system security by protecting a weak DBMS with a strong front-end.

:-) :-) :-)