SQL Server Express Security
Microsoft SQL Server Express Edition (SQL Server Express) is based on Microsoft SQL Server, and supports most of the features of the database engine. It is designed so that nonessential features and network connectivity are off by default. This reduces the surface area available for attack by a malicious user.
SQL Server Express is usually installed as a named instance. The default name of the instance is
SQLExpress. A named instance is identified by the network name of the computer plus the instance name that you specify during installation.
For security reasons, networking protocols are disabled by default in SQL Server Express. This prevents attacks from outside users that might compromise the computer that hosts the instance of SQL Server Express. You must explicitly enable network connectivity and start the SQL Server Browser service to connect to a SQL Server Express instance from another computer.
Once network connectivity is enabled, a SQL Server Express instance has the same security requirements as the other editions of SQL Server.
A user instance is a separate instance of the SQL Server Express database engine that is generated by a parent instance of SQL Server Express. The primary goal of a user instance is to allow users who are running Windows under a least-privilege user account to have system administrator (
sysadmin) privileges on the SQL Server Express instance on their local computer. User instances are not intended for users who are system administrators on their own computers.
A user instance is generated from a primary instance of SQL Server or SQL Server Express on behalf of a user. It runs as a user process under the Windows security context of the user, not as a service. SQL Server logins are disallowed; only Windows logins are supported. This prevents software executing on a user instance from making system-wide changes that the user would not have permissions to make. A user instance is also known as a child or client instance, and is sometimes referred to by using the RANU acronym ("run as normal user").
Each user instance is isolated from its parent instance and from other user instances running on the same computer. Databases installed on user instances are opened in single-user mode only; multiple users cannot connect to them. Replication, distributed queries and remote connections are disabled for user instances. When connected to a user instance, users do not have any special privileges on the parent SQL Server Express instance.
For more information about SQL Server Express, see the following resources.
|Microsoft SQL Server 2005 Express Edition Books Online||Complete documentation for SQL Server 2005 Express Edition.|
|User Instances for Non-Administrators in SQL Server Books Online||Describes how to create and deploy user instances.|
|SQL Server Express User Instances||Describes user instance capabilities in an ADO.NET application. Provides information about how to enable a user instance, connect to a user instance using a SqlConnection, user instance lifetime, and user instance scenarios.|