针对 SharePoint Server 配置 SQL Server 安全性Configure SQL Server security for SharePoint Server

适用范围: yes2013 yes2016 yes2019 是SharePoint OnlineAPPLIES TO: yes2013 yes2016 yes2019 yesSharePoint Online

当您安装 SQL Server 时,默认设置有助于提供安全的数据库。此外,可以使用 SQL Server 工具和 Windows 防火墙为 SharePoint Server 环境增强 SQL Server 的安全性。When you install SQL Server, the default settings help to provide a safe database. In addition, you can use SQL Server tools and Windows Firewall to add additional security to SQL Server for SharePoint Server environments.

重要

[!重要说明] SharePoint 团队已全面测试本主题中的安全步骤。The security steps in this topic are fully tested by the SharePoint team. 还有其他方法有助于保护 SharePoint Server 场中的 SQL Server。There are other ways to help secure SQL Server in a SharePoint Server farm. 有关详细信息,请参阅保护 SQL ServerFor more information, see Securing SQL Server.

准备工作Before you begin

在开始此操作之前,请查看以下有关如何保护服务器场的任务:Before you begin this operation, review the following tasks about how to secure your server farm:

  • 阻止 UDP 端口 1434。Block UDP port 1434.

  • 配置 SQL Server 的命名实例,以便侦听非标准端口(除 TCP 端口 1433 或 UDP 端口 1434 之外的其他端口)。Configure named instances of SQL Server to listen on a nonstandard port (other than TCP port 1433 or UDP port 1434).

  • 为增强安全性,阻止 TCP 端口 1433 并将默认实例使用的端口重新分配到不同端口。For additional security, block TCP port 1433 and reassign the port that is used by the default instance to a different port.

  • 在服务器场中的所有前端 Web 服务器和应用程序服务器上配置 SQL Server 客户端别名。在阻止 TCP 端口 1433 或 UDP 端口 1434 之后,与运行 SQL Server 的计算机通信的所有计算机都需要 SQL Server 客户端别名。Configure SQL Server client aliases on all front-end web servers and application servers in the server farm. After you block TCP port 1433 or UDP port 1434, SQL Server client aliases are necessary on all computers that communicate with the computer that is running SQL Server.

配置 SQL Server 实例以便在非默认端口上进行侦听Configuring a SQL Server instance to listen on a non-default port

SQL Server 可以重新分配默认实例和任何命名实例所使用的端口。在 SQL Server Service Pack 1 (SP1) 中,可使用 SQL Server 配置管理器重新分配 TCP 端口。更改默认端口时,您可提高环境的安全性,防范了解默认分配并使用它们破坏 SharePoint 环境的黑客的攻击。SQL Server provides the ability to reassign the ports that are used by the default instance and any named instances. In SQL Server Service Pack 1 (SP1), you reassign the TCP port by using SQL Server Configuration Manager. When you change the default ports, you make the environment more secure against hackers who know default assignments and use them to exploit your SharePoint environment.

配置 SQL Server 实例以便在非默认端口上进行侦听To configure a SQL Server instance to listen on a non-default port

  1. 确认执行此过程的用户帐户是 sysadmin 或 serveradmin 固定服务器角色的成员。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. 在运行 SQL Server 的计算机上,打开 SQL Server 配置管理器。On the computer that is running SQL Server, open SQL Server Configuration Manager.

  3. In the navigation pane, expand SQL Server Network Configuration.In the navigation pane, expand SQL Server Network Configuration.

  4. 单击所配置实例的相应条目。Click the corresponding entry for the instance that you are configuring.

    The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance.The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance.

  5. In the main window in the Protocol Name column, right-click TCP/IP, and then click Properties.In the main window in the Protocol Name column, right-click TCP/IP, and then click Properties.

  6. Click the IP Addresses tab.Click the IP Addresses tab.

    对于分配给运行 SQL Server 的计算机的每个 IP 地址,此选项卡上都有一个对应条目。默认情况下,SQL Server 在分配给计算机的所有 IP 地址上进行侦听。For every IP address that is assigned to the computer that is running SQL Server, there is a corresponding entry on this tab. By default, SQL Server listens on all IP addresses that are assigned to the computer.

  7. 若要全局更改默认实例所侦听的端口,请按照以下步骤操作:To globally change the port that the default instance is listening on, follow these steps:

    • For each IP address except IPAll, clear all values for both TCP dynamic ports and TCP Port.For each IP address except IPAll, clear all values for both TCP dynamic ports and TCP Port.

    • For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  8. 若要全局更改命名实例所侦听的端口,请按照以下步骤操作:To globally change the port that a named instance is listening on, follow these steps:

    • For each IP address including IPAll, clear all values for TCP dynamic ports. A value of 0 for this field indicates that SQL Server uses a dynamic TCP port for the IP address. A blank entry for this value means that SQL Server will not use a dynamic TCP port for the IP address.For each IP address including IPAll, clear all values for TCP dynamic ports. A value of 0 for this field indicates that SQL Server uses a dynamic TCP port for the IP address. A blank entry for this value means that SQL Server will not use a dynamic TCP port for the IP address.

    • For each IP address except IPAll, clear all values for TCP Port.For each IP address except IPAll, clear all values for TCP Port.

    • For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  9. Click OK.Click OK.

    A message indicates that the change will not take effect until the SQL Server service is restarted. Click OK.A message indicates that the change will not take effect until the SQL Server service is restarted. Click OK.

  10. 关闭 SQL Server 配置管理器。Close SQL Server Configuration Manager.

  11. 重新启动 SQL Server 服务并确认运行 SQL Server 的计算机侦听的是您所选的端口。Restart the SQL Server service and confirm that the computer that is running SQL Server is listening on the port that you selected.

    可以在重新启动 SQL Server 服务之后查看事件查看器日志以确认此信息。请查找类似于以下事件的信息事件:You can confirm this by looking in the Event Viewer log after you restart the SQL Server service. Look for an information event similar to the following event:

    事件类型: 信息Event Type:Information

    事件源: MSSQL$MSSQLSERVEREvent Source:MSSQL$MSSQLSERVER

    事件类别: (2)Event Category:(2)

    事件 ID:26022Event ID:26022

    日期: 3/6/2008Date:3/6/2008

    时间: 1:46:11 PMTime:1:46:11 PM

    用户: N/AUser:N/A

    计算机: computer_nameComputer: computer_name

    说明:Description:

    SQL Server 正在监听 [ 'any' <ipv4>50000]Server is listening on [ 'any' <ipv4>50000]

  12. 验证:(可选)包括用户应执行的用于验证操作是否成功的步骤。Verification: Optionally, include steps that users should perform to verify that the operation was successful.

阻止默认 SQL Server 侦听端口Blocking default SQL Server listening ports

高级安全 Windows 防火墙将使用入站规则和出站规则来帮助保护传入和传出网络流量的安全。由于 Windows 防火墙默认情况下将阻止所有传入的主动提供的网络流量,因此您无需明确阻止默认的 SQL Server 侦听端口。有关详细信息,请参阅高级安全 Windows 防火墙配置 Windows 防火墙以允许 SQL Server 访问Windows Firewall with Advanced Security uses Inbound Rules and Outbound Rules to help secure incoming and outgoing network traffic. Because Windows Firewall blocks all incoming unsolicited network traffic by default, you do not have to explicitly block the default SQL Server listening ports. For more information, see Windows Firewall with Advanced Security and Configuring the Windows Firewall to Allow SQL Server Access.

配置 Windows 防火墙以开放手动分配的端口Configuring Windows Firewall to open manually assigned ports

要通过防火墙访问 SQL Server 实例,必须配置运行 SQL Server 的计算机上的防火墙以允许访问。手动分配的任何端口在 Windows 防火墙中都必须是开放的。To access a SQL Server instance through a firewall, you must configure the firewall on the computer that is running SQL Server to allow access. Any ports that you manually assign must be open in Windows Firewall.

配置 Windows 防火墙以开放手动分配的端口To configure Windows Firewall to open manually assigned ports

  1. 确认执行此过程的用户帐户是 sysadmin 或 serveradmin 固定服务器角色的成员。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. In Control Panel, open System and Security.In Control Panel, open System and Security.

  3. Click Windows Firewall, and then click Advanced Settings to open the Windows Firewall with Advanced Security dialog box.Click Windows Firewall, and then click Advanced Settings to open the Windows Firewall with Advanced Security dialog box.

  4. In the navigation pane, click Inbound Rules to display the available options in the Actions pane.In the navigation pane, click Inbound Rules to display the available options in the Actions pane.

  5. Click New Rule to open the New Inbound Rule Wizard.Click New Rule to open the New Inbound Rule Wizard.

  6. 使用该向导完成必要的步骤,以允许访问在配置 SQL Server 实例以便在非默认端口上进行侦听中所定义的端口。Use the wizard to complete the steps that are required to allow access to the port that you defined in Configuring a SQL Server instance to listen on a non-default port.

    备注

    You can configure the Internet Protocol security (IPsec) to help secure communication to and from your computer that is running SQL Server by configuring the Windows firewall. You do this by selecting Connection Security Rules in the navigation pane of the Windows Firewall with Advanced Security dialog box.You can configure the Internet Protocol security (IPsec) to help secure communication to and from your computer that is running SQL Server by configuring the Windows firewall. You do this by selecting Connection Security Rules in the navigation pane of the Windows Firewall with Advanced Security dialog box.

配置 SQL Server 客户端别名Configuring SQL Server client aliases

如果阻止运行 SQL Server 的计算机上的 UDP 端口 1434 或 TCP 端口 1433,则必须在服务器场中的所有其他计算机上创建 SQL Server 客户端别名。可以使用 SQL Server 客户端组件为连接到 SQL Server 的计算机创建 SQL Server 客户端别名。If you block UDP port 1434 or TCP port 1433 on the computer that is running SQL Server, you must create a SQL Server client alias on all other computers in the server farm. You can use SQL Server client components to create a SQL Server client alias for computers that connect to SQL Server.

配置 SQL Server 客户端别名To configure a SQL Server client alias

  1. 确认执行此过程的用户帐户是 sysadmin 或 serveradmin 固定服务器角色的成员。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. 在目标计算机上运行 SQL Server 安装程序,并安装下列客户端组件:Run Setup for SQL Server on the target computer, and install the following client components:

    • Connectivity ComponentsConnectivity Components

    • Management ToolsManagement Tools

  3. 打开 SQL Server 配置管理器。Open SQL Server Configuration Manager.

  4. In the navigation pane, click SQL Native Client Configuration.In the navigation pane, click SQL Native Client Configuration.

  5. In the main window under Items, right-click Aliases, and select New Alias.In the main window under Items, right-click Aliases, and select New Alias.

  6. In the Alias - New dialog box, in the Alias Name field, enter a name for the alias. For example, enter SharePoint _alias.In the Alias - New dialog box, in the Alias Name field, enter a name for the alias. For example, enter SharePoint _alias.

  7. In the Port No field, enter the port number for the database instance. For example, enter 40000. Make sure that the protocol is set to TCP/IP.In the Port No field, enter the port number for the database instance. For example, enter 40000. Make sure that the protocol is set to TCP/IP.

  8. In the Server field, enter the name of the computer that is running SQL Server.In the Server field, enter the name of the computer that is running SQL Server.

  9. Click Apply, and then click OK.Click Apply, and then click OK.

  10. 验证: 可以使用 SQL Server Management Studio(在安装 SQL Server 客户端组件时可用)测试 SQL Server 客户端别名。Verification: You can test the SQL Server client alias by using SQL Server Management Studio, which is available when you install SQL Server client components.

  11. 打开 SQL Server Management Studio。Open SQL Server Management Studio.

  12. When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL ServerManagement Studio is populated with objects that correspond to the remote database.When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL ServerManagement Studio is populated with objects that correspond to the remote database.

  13. To check connectivity to additional database instances from SQL ServerManagement Studio, click Connect, and then click Database Engine.To check connectivity to additional database instances from SQL ServerManagement Studio, click Connect, and then click Database Engine.

另请参阅See also

其他资源Other Resources

SQL Server Security BlogSQL Server Security Blog

SQL 漏洞评估SQL Vulnerability Assessment

Securing SharePoint: Harden SQL Server in SharePoint EnvironmentsSecuring SharePoint: Harden SQL Server in SharePoint Environments

Configure a Windows Firewall for Database Engine AccessConfigure a Windows Firewall for Database Engine Access

Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)