Best Practices for Hardening a SQL Server 2005 Implementation

When working with my customers on SQL Server security, I constantly get the same question, "What are some best practices for hardening my SQL Server implementation?" Over the years, I have come up with specific recommendations based on upon industry best practices and my experience. Following is a summary of best practices for hardening a SQL Server environment:

  • Install the most recent critical fixes and service packs for both Windows and SQL Server. As of this blog, the current service pack version for SQL Server is SQL Server 2005 Service Pack 2 and for Windows, it is Windows Server 2003 Service Pack 2.
  • When you're selecting authentication modes, Windows Authentication is a more secure choice; however, if mixed mode authentication is required, leverage complex passwords and the new SQL Server 2005 password and lockout policies to further bolster security.
  • Do not use the SA account for day-to-day administration, logging on to the server remotely, or having applications use it to connect to SQL. It is best if the SA account is disabled and renamed.
  • Create a role-based security policy with the Security Configuration Wizard tool.
  • After SQL Server 2005 is installed, run the SQL Server Configuration Manager and SQL Server Surface Area Configuration tools to disable unnecessary features and services.
  • Install only required components when installing SQL Server.
  • After the server has been hardened, periodically asses the server's security using the Microsoft Baseline Security Analyzer (MBSA) and SQL Server 2005 Best Practice Analyzer.
  • Either hide the instance or disable the SQL Server Browser service for production SQL Servers running mission-critical databases.
  • Change the default ports associated with the SQL Server installation to put off hackers from port scanning the server.
  • Enable a firewall to filter unnecessary and unknown traffic.
  • At the very least, set security auditing to failed login attempts; otherwise, both failed and successful logins should be captured and monitored.
  • Remove the BUILTIN/Administrators group from the SQL Server Logins.
  • Use the IIS Lockdown and URLScan tools to harden IIS.

If you do something different in order to secure your implemenation, feel free to provide your recommendations as comments.


Ross Mistry

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.