Security Considerations for a SQL Server Installation
Security is important, not just for Microsoft SQL Server and Microsoft, but for every product and every business. By following simple best practices, you can avoid many security vulnerabilities. This topic discusses some security best practices that you should employ both before you install SQL Server and after you install SQL Server. Security guidance for specific features is included in the reference topics for those features.
Before Installing SQL Server
Follow these best practices when you set up the server environment:
- Enhance physical security
- Use firewalls
- Isolate services
- Create service accounts with least privileges
- Disable NetBIOS and server message block
Enhance Physical Security
Physical and logical isolation make up the foundation of SQL Server security. To enhance the physical security of the SQL Server installation, do the following tasks:
- Place the server in a room inaccessible to unauthorized persons.
- Place computers that host a database in a physically protected location, ideally a locked computer room with monitored flood detection and fire detection or suppression systems.
- Install databases in the secure zone of the corporate intranet and never directly connected to the Internet.
- Back up all data regularly and store copies in a secure off-site location.
Firewalls are integral to securing the SQL Server installation. Firewalls will be most effective if you follow these guidelines:
- Put a firewall between the server and the Internet.
- Divide the network into security zones separated by firewalls. Block all traffic, and then selectively admit only what is required.
- In a multitier environment, use multiple firewalls to create screened subnets.
- When you are installing the server inside a Windows domain, configure interior firewalls to permit Windows Authentication.
- In a Windows domain in which all versions of Windows are Windows XP or Windows Server 2003 or higher, disable NTLM Authentication. .
- If your application uses distributed transactions, you may have to configure the firewall to allow Microsoft Distributed Transaction Coordinator (MS DTC) traffic to flow between separate MS DTC instances, and between the MS DTC and resource managers such as SQL Server.
Isolating services reduces the risk that one compromised service could be used to compromise others. To isolate services, use the following guidelines:
- Whenever possible, do not install SQL Server on a domain controller.
- Run separate SQL Server services under separate Windows accounts.
- In a multitier environment, run Web logic and business logic on separate computers.
Create Service Accounts That Have Least Privileges
SQL Server setup automatically configures the service account or accounts with the specific permissions required by SQL Server. When modifying or configuring the Windows services used by SQL Server 2005, you should grant only the permissions they require. For more information, see Setting Up Windows Service Accounts.
Disable NetBIOS and Server Message Block
Servers in the perimeter network should have all unnecessary protocols disabled including NetBIOS and server message block (SMB).
NetBIOS uses the following ports:
- UDP/137 (NetBIOS name service)
- UDP/138 (NetBIOS datagram service)
- TCP/139 (NetBIOS session service)
SMB uses the following ports:
Web servers and Domain Name System (DNS) servers do not require NetBIOS or SMB. On these servers, disable both protocols to mitigate the threat of user enumeration. For more information about how to disable these protocols, see How to: Disable NetBIOS over TCP/IP and How to: Disable Server Message Block.
After Installing SQL Server
After installation, you can enhance the security of the SQL Server installation by following these best practices regarding accounts and authentication modes:
- Run SQL Server services with the lowest possible privileges.
- Associate SQL Server services with Windows accounts.
- Require Windows Authentication for connections to SQL Server.
- Always assign a strong password to the sa account.
- Always enable password policy checking.
- Always use strong passwords for all SQL Server logins.