Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Author Expert: Ross Mistry

Microsoft Subnet
NetworkWorld.com > Community > Author Expert: Ross Mistry

Navigation

Best Practices for Hardening a SQL Server 2005 Implementation

By Ross Mistry on Tue, 02/12/2008 - 7:44pm.

When working with my customers on SQL Server security, I constantly get the same question, "What are some best practices for hardening my SQL Server implementation?" Over the years, I have come up with specific recommendations based on upon industry best practices and my experience. Following is a summary of best practices for hardening a SQL Server environment:

  • Install the most recent critical fixes and service packs for both Windows and SQL Server. As of this blog, the current service pack version for SQL Server is SQL Server 2005 Service Pack 2 and for Windows, it is Windows Server 2003 Service Pack 2.
  • When you're selecting authentication modes, Windows Authentication is a more secure choice; however, if mixed mode authentication is required, leverage complex passwords and the new SQL Server 2005 password and lockout policies to further bolster security.
  • Do not use the SA account for day-to-day administration, logging on to the server remotely, or having applications use it to connect to SQL. It is best if the SA account is disabled and renamed.
  • Create a role-based security policy with the Security Configuration Wizard tool.
  • After SQL Server 2005 is installed, run the SQL Server Configuration Manager and SQL Server Surface Area Configuration tools to disable unnecessary features and services.
  • Install only required components when installing SQL Server.
  • After the server has been hardened, periodically asses the server's security using the Microsoft Baseline Security Analyzer (MBSA) and SQL Server 2005 Best Practice Analyzer.
  • Either hide the instance or disable the SQL Server Browser service for production SQL Servers running mission-critical databases.
  • Change the default ports associated with the SQL Server installation to put off hackers from port scanning the server.
  • Enable a firewall to filter unnecessary and unknown traffic.
  • At the very least, set security auditing to failed login attempts; otherwise, both failed and successful logins should be captured and monitored.
  • Remove the BUILTIN/Administrators group from the SQL Server Logins.
  • Use the IIS Lockdown and URLScan tools to harden IIS.

If you do something different in order to secure your implemenation, feel free to provide your recommendations as comments.

Cheers!!!

Ross Mistry

Permalink
Tags:

install updates

Useful answer?
0
By Stephen in Texas (not verified) on Fri, 02/29/2008 - 10:21pm.

The first comment you make about security and the first comment I have heard in many discussions about security basics is install updates. I am constantly amazed when people who should know better fail to follow this simple advice and pay the price. This is way too simple a task to take for granted.

Your article is a great coverage of the basics of security, most of which can be applied to any OS/Application.

At least implement WSUS!!!

Useful answer?
0
By Ross Mistry on Mon, 03/03/2008 - 9:13pm.

Indeed, it is ironic how the easiest tasks get overlooked.  However, based on my experience, many large organizations do not have a patch management solution and they are understaffed.  Therefore, they have to patch servers manually and since they don't have the resources and they are typically fighting other fires, this simplistic task does not occur, leaving them vulnerable and at risk.

Yes, this is sad, but it is reality.  These types of companies should at least download  and configure Microsoft's free patch management tool Windows Software Update Services (WSUS).  Very easy to lean and implement.  Link to the home page:

http://technet.microsoft.com/en-us/wsus/default.aspx

Thanks for the comment...

Ross

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Ross Mistry

RSS feed Blog archive.

Ross Mistry, MCSE, MCDBA is a partner and principal consultant for Convergent Computing. As a lead architect he designs and implements SQL Server, Active Directory and Exchange solutions for fortune 500 organizations with a global presence. His SQL Server specialty is designing and implementing high availability, site resilience and disaster recovery solutions. Ross also focuses on SQL Server database administration, database development and Business Intelligence. Ross has also taken on the roles of lead author, co-author, technical writer and contributing writer for a number of books, including SQL Server 2005 Management and Administration and Windows Server 2008 Unleashed. Mistry is also a public speaker and conducts seminars on Microsoft topics around the world on SQL Server, Active Directory and Exchange.

RSS feed Microsoft news RSS feed

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: