Hiding SQL Server

If you're running SQL Server in an environment where you don't want computers to access it, you must hide the instance from network discovery. Contributor Serdar Yegulalp outlines two ways to hide your SQL Servers.

Windows servers "announce" their presence on local networks via NetBIOS by default, so any other computer configured with a domain browser (essentially the Computer Browser service) can see a server without knowing its IP address. If you're running SQL Server in an environment where you don't want people stumbling across the server and trying to access it, you should hide SQL Server as a precaution.

You have basically two options for hiding an instance of SQL Server from network discovery:

  • Turn off the whole computer's NetBIOS enumeration using the NET CONFIG SERVER command.
  • Disable SQL Server from acknowledging requests for enumeration via TCP/IP.

The NET CONFIG SERVER command removes the entire computer from the network browser list, not just an instance of SQL Server on that computer. If you type NET CONFIG SERVER /HIDDEN:YES at the command line for the server in question, the server will stop broadcasting announcements into the domain and it will eventually disappear from the Network Neighborhood of other computers in the domain. This is a good preventative measure if a SQL Server machine lives in a hosting center where it shares a network segment with other computers and you don't want it to advertise its presence to others. [Note: It will still be directly accessible if you know its TCP/IP address or its NetBIOS machine name.]

The second approach works only if SQL Server is accessed via TCP/IP (it will not work for named pipes). If you run the SQL Server Network Utility, place TCP/IP in the "Enabled Protocols" list and click Properties. The pane that comes up will feature a checkbox labeled "Hide server." When that option is enabled, SQL Server will no longer respond to attempts to enumerate its presence via TCP/IP. This means, for instance, that if you run the Query Analyzer, the server name will not appear in the drop-down list of available servers.

One drawback to hiding SQL Server in TCP/IP involves running multiple instances of SQL Server on the same computer. The first instance to be brought online will bind to port 2433 (SQL Server's default listening port); the others will not be able to bind a port and will log an error.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

More information from SearchSQLServer.com


Dig Deeper on SQL Server Security