Home > Articles > Data > SQL Server

SQL Server Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Securing the SQL Server Platform, Part 2

Last updated Mar 28, 2003.

As I mentioned in the last tutorial in this series, security in the context of SQL Server deals with multiple areas including the physical access to the system, the operating system, the platform (SQL Server and its configuration), Principals (users) and Securables (database objects), and programmatic elements like Transact-SQL code. In this two-part series, I'm covering the platform in more detail. If you have not had a chance to look over part one of this series, take a moment and do that now.

I mentioned in the last article that you should always test code, tools and processes you read here (or anywhere) on a lab system and understand the effects before you try anything in production. It's worth repeating that here — so make sure you fire up that Virtual Machine to follow along with the settings and so on you have in your system.

SQL Server Configuration Manager

In the last tutorial I mentioned the Microsoft Baseline Security Analyzer (MBSA) and how you can use that tool to scan for known issues at the Operating System and a few items in the SQL Server Platform that you can examine to tighten your security.

I also opened the SQL Server Configuration Manager (SCM) tool, and I left off at the point where I showed you the user settings. Again, always use the SCM tool to change or configure the user accounts for SQL Server Services — the tool does more than just change the password as I described there.

Opening the SCM tool, you'll notice below the user accounts are two sections that deal with networking for SQL Server. This is the next area to review for security.

Notice that there are two areas here — one for the server protocols, and the other for the client. When you install SQL Server and the Client Tools on a system, it acts as both a server and a client. The protocols are treated differently, and have different security aspects.

Starting with the server side, only enable the protocols you need. Check the configuration requirements of the programs and users that access the database, and set as few protocols to be on as possible. I normally use two: Shared Memory and TCP/IP. Shared Memory is used to communicate from the same system where the client and the server are installed. In production, you may or may not want to enable this communication mechanism. It's fairly secure, unless someone gains access to your server. Of course, in that case you have other issues to worry about.

The TCP/IP protocol is a subject all by itself. If you are not familiar with at least the basics of how this protocol works, make sure you bookmark this link for a review later: http://www.informit.com/articles/article.aspx?p=26014&seqNum=9

If you enable the TCP/IP protocol, the important thing to keep in mind is the Port the TCP/IP protocol will use. At the risk of generalizing a bit, let me explain why this is important.

TCP/IP is actually two protocols: Transmission Control Protocol (TCP) and Internet Protocol (IP). TCP is used at the lower levels of communication for a computer network. Using an address number, it finds your network card like a mail carrier finds a house. Once there, however, different operations are supported by the network. To separate these operations, TCP uses another number, called a Port. This is the number you see for SQL Server if you double-click the TCP/IP protocol in SCM.

This is where things get a little more complicated. You can set this number to any port number that isn't already used. You can find a list of the reserved ports here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. By default, SQL Server uses port 1433. So to be secure, since that's a well-known number, you might want to change it to something else. However — do NOT do that without checking with the client programs first. You will need a way to specify for each one for the port you changed the server to listen on.

If you are running the SQL Browser Service (which uses TCP port 1434), it will automatically route any calls to a Named Instance of SQL Server running on your server to the proper port. This is very handy, but can also be a security concern. If you've changed your ports for security reasons, but you are using the Browser Service, you might not get the results you want. It's not that the SQL Browser is insecure — it's just that it routes requests, so you should understand what it does to make sure you're as secure as you like. You can read more about that here: http://technet.microsoft.com/en-us/library/ms181087.aspx 

All settings you change here in this panel won't take effect until you stop and start the services, but the tool tells you this.  Also note that you can change settings for all Instances installed on your system. 

Moving to the client protocols, once again you want to enable only the protocols that are applicable to your system. If the client tools are installed on another system, then you should have the SCM tool available there for these settings as well. You'll notice that there is a difference in the client portion of this tool — it has an order for the protocols. Typically you only need one protocol enabled on a client, so the order is immaterial, but if you do have multiple protocols, set the one that is used most often to the top of the stack. The reason that the client has an order but the server does not is that the server will listen to whatever protocol is enabled — there's no preference for a request.

SQL Server Management Studio — Server Properties

I'll move to the next tool you can use to secure SQL Server. Again, remember that there are other layers to consider for Security, such as using the latest versions, updates and hotfixes for your system, employing firewalls, and making sure you follow best practices. In this tutorial I'm covering SQL Server itself, and I'll get to those other layers in subsequent articles.

SQL Server Management Studio (SSMS) is a graphical tool you can use to manage your Instances. You can do almost everything graphically that you can do through SQL Server commands, and vice-versa, but I recommend a graphical tool for security, especially for when you are new to the platform. Graphical tools (if properly coded) provide a great mechanism for discovering settings.

I've opened SSMS, and right-clicked the Instance name in the left-hand Object Browser pane. From there I selected “Properties” to bring up this menu.

There are a few settings that control security for an Instance, but you can see I've selected the Security panel first. This is where you can set how the user accounts are handled within the Instance. You have the option of allowing SQL Server to create and manage accounts that are not found in Windows, or only allowing Windows accounts to access SQL Server.

It's true that you have a lot of control over Windows accounts, specifically if you are using Active Directory. But it is not true that the SQL Server accounts are more insecure than a Windows account. It's more that the Windows accounts have that level of control that makes the effect of the control a more secure environment. In any case, your users determine which mode you choose — use Windows accounts if you can, and SQL Server accounts if you need to do that.

Be aware that if you do use SQL Server accounts, you need to ensure that you use complex passwords and that they are rotated frequently. Starting back in SQL Server 2005, you can enforce some of the local Windows account policies for the SQL Server accounts.

Depending on how much attention you are paying to the Windows Security Activity Logs, set the auditing accordingly. I tend to audit for failed logins, and look for suspicious activity there. If you see multiple failed attempts — even if they are from different accounts — you should investigate why. This is often overlooked in the DBA's daily routine, but should be carefully watched.

The rest of the options on this panel are beyond the scope of this article. If you are in fact using C2 or Common Criteria computing, you should read up on those topics deeply. There are quite a few things you need to do other than checking these boxes to make your system have that level of security.

Unless you have to, do not enable Cross database ownership chaining. This can be a security issue — if you are instructed to enable it, make sure you completely understand why.

There are other security settings in this tool, specifically under the Connections panel. There's a setting there that might be a little confusing. The “Allow Remote Connections” does not mean that you are allowing people to log in to the server. It actually means that you are allowing remote stored procedures to call into the server. If you need that option, once again, understand the reasons. Otherwise, leave it off.

In the Advanced and other panels, you may not notice some of the security vectors. In the panels that deal with file locations, make sure no one has access to the files.

One final aspect of securing SQL Server that I have not dealt with here is Encryption. This helps prevent access to the data even if someone does manage to intercept the data stream or grab the files from the hard drive. I've explained a few of these options here, so read that overview for more information. I also have other articles here on InformIT that will demonstrate encryption techniques.

Now that you've completed this overview on security for the SQL Server platform, here's some homework. Read through and bookmark these resources, and make sure everyone on your team does that as well. Security is one of our most important duties.

http://technet.microsoft.com/en-us/library/bb283235.aspx

http://www.microsoft.com/sqlserver/2008/en/us/Security.aspx

http://technet.microsoft.com/en-us/library/bb510589.aspx