Surface Area Configuration and other security tools in SQL Server 2005

The Surface Area Configuration (SAC) tool provides feature-level control of installed components. It also provides the capability to turn certain services on and off. Capabilities of the SAC tool are broad and worth understanding. For instance, I noticed I could turn remote access to a server instance on and off (that is, use TCP/IP or named pipes), but I couldn't configure the IP address or pipe. The real purpose of the SAC tool is to provide an easy means for reducing the hacking surface area for local instances of SQL Server. SAC does not work across the network.

The SAC tool has some interesting limitations. For instance, SQL Server 2005 no longer automatically listens on port 1434. In fact, it doesn't listen at all. You need to turn on the SQL Browser Service, which acts as a middleman for resolving client connection requests to the server. SQL Browser Service only provides name/port resolution. Looking back to SQL Server 2000, it was the automatic listen that gave the SQL Slammer worm its life. Now, SQL Server is deaf until you allow it to hear.

But there's more to consider. You've turned on SQL Browser, and you've turned on TCP/IP. But your company doesn't allow random IP usage (you've been assigned an IP address), so how do you supply that information to SQL Server? By using the new SQL Server Security Configuration Manager tool! A number of ports are used by SQL Server and its other components by default.

Table 1 lists reported ports for SQL Server 2005. You can

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Microsoft SQL Server 2005 (Yukon) SQL Server Reporting Services Fast Guide SQL Server Service Broker Tutorial and Reference Guide Tips for tuning SQL Server 2005 to improve reporting performance SQL Server consolidation: Why it's an optimization technique Parent-child dimensions in SQL Server 2005 with Analysis Services MDX Enforcing data integrity in a SQL Server database SSIS error message due to installation problem on SQL Server 2005 Should you upgrade to SQL Server 2005 or SQL Server 2008? Basics for working with DATETIME and SMALLDATETIME in SQL Server 2005 How to configure Database Mail in SQL Server 2005 to send mail Microsoft SQL Server 2005 (Yukon) Research Microsoft SQL Server Tools and Utilities Setting up SQL Server Service Broker for secure communication Microsoft SQL Server 2008 Resource Governor primer The sqlcmd utility in SQL Server Performance analysis tools for SQL Server Securing IIS and SQL Server as part of an online platform Learning Guide: SQL Server tools View SQL Server transaction logs using DBCC Running analytical queries with Analysis Services Fast Guide: Free SQL Server tools SQL Server freebie: PromptSQL for word completion

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

check out http://www.iana.org/assignments/port-numbers to learn about what applications open ports. By default, these ports are closed and are unavailable until you explicitly enable them.

Table 1

Ports Used by SQL Server

[TABLE]

If the TCP/IP protocol is enabled when an instance of SQL Server starts, the server is assigned a TCP/IP port. You can change that port. If the named pipes protocol is enabled, SQL Server listens on a specific named pipe. This port, or pipe, is used by that specific instance to exchange data with client applications. During installation, TCP port 1433 and pipe \sql\query are assigned to the default instance, but those can be changed later by the server administrator using SQL Server Configuration Manager. Since only one instance of SQL Server can use a port or pipe, different port numbers and pipe names are assigned for named instances. By design, when named instances are configured to use dynamic ports, an available port is assigned when SQL Server starts. You can assign a specific port to a SQL Server instance if you wish.

At start time, SQL Browser starts and claims UDP port 1434. SQL Browser reads the registry, identifies all SQL Server instances on the computer and notes which ports and named pipes they use. When a server has two or more network cards, SQL Browser returns the first enabled port it encounters for SQL Server. SQL Server 2005 and SQL Browser support IPv6 and IPv4. When SQL Server 2005 clients request SQL Server resources, the client network library sends a UDP message to the server using port 1434. SQL Browser responds with the TCP/IP port or named pipe of the requested instance. The network library on the client application then completes the connection by sending a request to the server using the port or named pipe of the desired instance.

SQL Server Configuration Manager

The SQL Server Configuration Manager tool provides detailed control over the services and network protocols used by SQL Server 2005. It does not cover SQL Server 2000, except on upgrade, when SQL Server 2005 simply moves over the old settings. By design, an upgraded system has the same network listening capability as before the application upgrade. The SQL Server Configuration Manager is an MMC snap-in application. It consolidates the SQL Server 2000 Network Service utility and services utility into one application. Within the SQL Server Configuration Manager, you can explicitly change ports and IP addresses, create and destroy aliases for servers, enable and disable protocols and more. From the services perspective, the SQL Server Configuration Manager provides access to start and stop services, to change logon credentials, and to peer into the registry settings for the services.

About the author: Eric Brown is a senior consultant in the Business Intelligence national practice for Quilogy Inc. He works on emerging technologies and of course SQL Server 2005 and is the author of SQL Server 2005 Distilled (Microsoft Windows Server). Brown's professional computing career began in earnest in 1996 when he started at Multiple Zones International as a product manager. While there he realized the next big wave would be e-commerce and he raced to get a job at a dot-com. After working for three such companies, his acumen for databases and passion for technology landed him on the SQL Server Product Team at Microsoft, for which he ran Yukon readiness during his three-year stint. Eric eventually left to take a sabbatical and pursue other interests, like getting back to his e-commerce roots and writing a book about SQL Server 2005, due out in March 2006. He has presented at Microsoft TechEd and he has written several papers as well as a column in SQL Server Magazine.

More on SearchSQLServer.com