SQL Server Surface Area Configuration Tools
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]
Surface area reduction is a security measure that involves stopping or disabling unused components. Surface area reduction helps to improve security by providing fewer avenues for potential attacks on a system.
For new installations of Microsoft SQL Server, some features, services, and connections are disabled or stopped to reduce the SQL Server surface area. For upgraded installations, all features, services, and connections remain in their pre-upgrade state.
Use SQL Server Surface Area Configuration to enable, disable, start, or stop the features, services, and remote connectivity of your SQL Server installations. You can use SQL Server Surface Area Configuration on local and remote servers.
SQL Server Surface Area Configuration uses Window Management Instrumentation (WMI) to view and change server settings. WMI provides a unified way for interfacing with the API calls that manage registry operations that configure SQL Server. For information about configuring permissions related to WMI, see the topic How to: Configure WMI to Show Server Status in SQL Server Tools.
When to Use the Surface Area Configuration Tools
After you install or upgrade to SQL Server, you should run SQL Server Surface Area Configuration to verify which features and services are enabled and running, and to verify which types of connections SQL Server will accept. After initial configuration, you can use SQL Server Surface Area Configuration to verify or change the state of features, services, and connections.
Launching Surface Area Configuration
SQL Server Surface Area Configuration is available on the SQL Server Start menu:
- On the Start menu, point to All Programs, Microsoft SQL Server, Configuration Tools, and then click SQL Server Surface Area Configuration.
The first page to appear is the SQL Server Surface Area Configuration start page. On the start page, specify which server you want to configure:
- Click the change computer link adjacent to Configure Surface Area for. The default value is localhost. If you previously selected a named server, you would see the server name.
- In the Select Computer dialog box, do one of the following:
- To configure SQL Server on the local computer, click Local computer.
- To configure SQL Server on another computer, click Remote computer, and then enter the computer name in the text box.
- To configure a failover cluster, click Remote computer, and then enter the failover cluster instance name in the text box.
- Click OK.
Using the Surface Area Configuration Tools
After selecting the computer to configure, you can launch two tools:
- Use Surface Area Configuration for Services and Connections to enable or disable Windows services and remote connectivity.
For descriptions of the service and connectivity settings and defaults for those settings, see Surface Area Configuration for Services and Connections.
- Use Surface Area Configuration for Features to enable and disable features of the Database Engine, Analysis Services, and Reporting Services.
For descriptions of the features and information about default feature settings, see Surface Area Configuration for Features.
sac Command Line Utility
To import and export surface area settings, use the sac command-prompt utility. Using this utility, you can configure the surface area on one computer, and then apply the same settings to other computers.
The easiest way to use the sac utility is to use SQL Server Surface Area Configuration to configure one computer, and then use the sac utility to export the settings of that computer to a file. You can use that file to apply the same settings to SQL Server components on other computers.
For more information, see sac Utility.