SQL Server 安裝的安全性考量Security Considerations for a SQL Server Installation

適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions) - 僅限 Windows 是Azure SQL 受控執行個體Azure SQL Managed InstanceYesAzure SQL 受控執行個體Azure SQL Managed Instance適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions) - Windows only 是Azure SQL 受控執行個體Azure SQL Managed InstanceYesAzure SQL 受控執行個體Azure SQL Managed Instance

安全性對於每一個產品和每一項業務都很重要。Security is important for every product and every business. 只要遵循簡單的最佳做法,就可以避免許多安全性漏洞。By following simple best practices, you can avoid many security vulnerabilities. 本文討論您在安裝 SQL ServerSQL Server 之前及安裝 SQL ServerSQL Server 之後應該考慮的一些安全性最佳做法。This article discusses some security best practices that you should consider both before you install SQL ServerSQL Server and after you install SQL ServerSQL Server. 特定功能的參考文章皆會涵蓋這些功能的安全性指南。Security guidance for specific features is included in the reference articles for those features.

安裝之前 SQL ServerSQL ServerBefore Installing SQL ServerSQL Server

設定伺服器環境時,請遵循這些最佳做法:Follow these best practices when you set up the server environment:

Enhance Physical SecurityEnhance Physical Security

實體和邏輯隔離,構成 SQL ServerSQL Server 安全性的基礎。Physical and logical isolation make up the foundation of SQL ServerSQL Server security. 若要加強 SQL ServerSQL Server 安裝的實體安全性,請執行下列工作:To enhance the physical security of the SQL ServerSQL Server installation, do the following tasks:

  • 將伺服器放在只有獲得授權的人員能夠存取的地點。Place the server in a room accessible only to authorized persons.

  • 將主控資料庫的電腦放在實體保護位置中,最好是有上鎖的電腦機房,裡面有水災偵測和火災偵測或控制系統的監視功能。Place computers that host a database in a physically protected location, ideally a locked computer room with monitored flood detection and fire detection or suppression systems.

  • 在公司內部網路的安全區域中安裝資料庫,而且請勿將 SQL Server 直接連接到網際網路。Install databases in the secure zone of the corporate intranet and do not connect your SQL Servers directly to the Internet.

  • 定期備份所有資料,並在遠端位置保護備份安全。Back up all data regularly and secure the backups in an off-site location.

Use FirewallsUse Firewalls

防火牆對於保護 SQL ServerSQL Server 安裝的安全非常重要。Firewalls are important to help secure the SQL ServerSQL Server installation. 如果您遵照這些方針,防火牆將是最有效的:Firewalls will be most effective if you follow these guidelines:

  • 將防火牆放在伺服器和網際網路之間。Put a firewall between the server and the Internet. 啟用您的防火牆。Enable your firewall. 如果防火牆已關閉,請將它開啟。If your firewall is turned off, turn it on. 如果防火牆已開啟,請勿將它關閉。If your firewall is turned on, do not turn it off.

  • 將網路分割成防火牆所隔開的安全區域。Divide the network into security zones separated by firewalls. 封鎖所有傳輸,然後選擇性地只准許必要的傳輸。Block all traffic, and then selectively admit only what is required.

  • 在多層環境中,請使用多個防火牆來建立篩選的子網路。In a multi-tier environment, use multiple firewalls to create screened subnets.

  • 當您在 Windows 網域內安裝伺服器時,請設定內部防火牆允許 Windows 驗證。When you are installing the server inside a Windows domain, configure interior firewalls to allow Windows Authentication.

  • 如果應用程式使用分散式交易,您可能必須設定防火牆,好讓 MicrosoftMicrosoft 分散式交易協調器 (MS DTC) 傳輸可以在個別 MS DTC 執行個體之間流動。If your application uses distributed transactions, you might have to configure the firewall to allow MicrosoftMicrosoft Distributed Transaction Coordinator (MS DTC) traffic to flow between separate MS DTC instances. 您也必須設定防火牆,好讓 MS DTC 與資源管理員 (如 SQL ServerSQL Server) 之間的傳輸可以流動。You will also have to configure the firewall to allow traffic to flow between the MS DTC and resource managers such as SQL ServerSQL Server.

如需預設 Windows 防火牆設定的詳細資訊以及影響 Database EngineDatabase EngineAnalysis ServicesAnalysis ServicesReporting ServicesReporting ServicesIntegration ServicesIntegration Services之 TCP 通訊埠的描述,請參閱 設定 Windows 防火牆以允許 SQL Server 存取For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database EngineDatabase Engine, Analysis ServicesAnalysis Services, Reporting ServicesReporting Services, and Integration ServicesIntegration Services, see Configure the Windows Firewall to Allow SQL Server Access.

Isolate ServicesIsolate Services

隔離服務減少一個遭到破壞的服務被用來破壤其他服務的風險。Isolating services reduces the risk that one compromised service could be used to compromise others. 若要隔離服務,請考慮下列方針:To isolate services, consider the following guidelines:

  • 在個別 Windows 帳戶下執行個別的 SQL ServerSQL Server 服務。Run separate SQL ServerSQL Server services under separate Windows accounts. 請盡可能針對每一個 SQL ServerSQL Server 服務使用低權限的個別 Windows 或本機使用者帳戶。Whenever possible, use separate, low-rights Windows or Local user accounts for each SQL ServerSQL Server service. 如需詳細資訊,請參閱 設定 Windows 服務帳戶與權限預覽版本升級問題的解答。For more information, see Configure Windows Service Accounts and Permissions.

Configure a Secure File SystemConfigure a Secure File System

使用正確的檔案系統會增加安全性。Using the correct file system increases security. 如果是 SQL ServerSQL Server 安裝,您應該執行下列工作:For SQL ServerSQL Server installations, you should do the following tasks:

  • 使用 NTFS 檔案系統 (NTFS)。Use the NTFS file system (NTFS). NTFS 是 SQL ServerSQL Server 安裝的慣用檔案系統,因為它比 FAT 檔案系統更穩定,而且具有更高的可復原性。NTFS is the preferred file system for installations of SQL ServerSQL Server because it is more stable and recoverable than FAT file systems. NTFS 也會啟用一些安全性選項,例如檔案和目錄存取控制清單 (ACL) 及加密檔案系統 (EFS) 檔案加密。NTFS also enables security options like file and directory access control lists (ACLs) and Encrypting File System (EFS) file encryption. 在安裝期間, SQL ServerSQL Server 將會在偵測到 NTFS 時,對登錄機碼和檔案設定適當的 ACL。During installation, SQL ServerSQL Server will set appropriate ACLs on registry keys and files if it detects NTFS. 這些權限不應該變更。These permissions should not be changed. 未來的 SQL ServerSQL Server 版本可能不支援在含有 FAT 檔案系統的電腦上安裝。Future releases of SQL ServerSQL Server might not support installation on computers with FAT file systems.


    如果您使用 EFS,資料庫檔案將會在執行 SQL ServerSQL Server的帳戶識別下加密。If you use EFS, database files will be encrypted under the identity of the account running SQL ServerSQL Server. 只有這個帳戶才能夠解密該檔案。Only this account will be able to decrypt the files. 如果您必須變更執行 SQL ServerSQL Server的帳戶,您應該先在舊的帳戶下解密檔案,然後在新的帳戶下重新加密檔案。If you must change the account that runs SQL ServerSQL Server, you should first decrypt the files under the old account and then re-encrypt them under the new account.

  • 針對重要資料檔使用獨立磁碟容錯陣列 (RAID)。Use a redundant array of independent disks (RAID) for critical data files.

Disable NetBIOS and Server Message BlockDisable NetBIOS and Server Message Block

周邊網路中的伺服器應該停用所有非必要的通訊協定,包括 NetBIOS 和伺服器訊息區塊 (SMB) 在內。Servers in the perimeter network should have all unnecessary protocols disabled, including NetBIOS and server message block (SMB).

NetBIOS 使用下列通訊埠:NetBIOS uses the following ports:

  • UDP/137 (NetBIOS 名稱服務)UDP/137 (NetBIOS name service)

  • UDP/138 (NetBIOS 資料包服務)UDP/138 (NetBIOS datagram service)

  • TCP/139 (NetBIOS 工作階段服務)TCP/139 (NetBIOS session service)

SMB 使用下列通訊埠:SMB uses the following ports:

  • TCP/139TCP/139

  • TCP/445TCP/445

Web 伺服器和網域名稱系統 (DNS) 伺服器不需要 NetBIOS 或 SMB。Web servers and Domain Name System (DNS) servers do not require NetBIOS or SMB. 在這些伺服器上,請停用這兩種通訊協定以減少使用者列舉的威脅。On these servers, disable both protocols to reduce the threat of user enumeration.

在網域控制站上安裝 SQL ServerSQL ServerInstalling SQL ServerSQL Server on a domain controller

基於安全性理由,不建議您在網域控制站上安裝 SQL ServerSQL ServerFor security reasons, we recommend that you do not install SQL ServerSQL Server on a domain controller. SQL ServerSQL Server 安裝程式將不會封鎖當做網域控制站之電腦上的安裝,但適用以下限制:Setup will not block installation on a computer that is a domain controller, but the following limitations apply:

  • 您無法以本機服務帳戶在網域控制站上執行 SQL ServerSQL Server 服務。You cannot run SQL ServerSQL Server services on a domain controller under a local service account.

  • SQL ServerSQL Server 安裝到電腦上以後,您無法將電腦從網域成員變成網域控制站。After SQL ServerSQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. 在您將主機電腦變更為網域控制站之前,必須先解除安裝 SQL ServerSQL ServerYou must uninstall SQL ServerSQL Server before you change the host computer to a domain controller.

  • SQL ServerSQL Server 安裝到電腦上以後,您無法將電腦從網域控制站變成網域成員。After SQL ServerSQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. 在您將主機電腦變更為網域成員之前,必須先解除安裝 SQL ServerSQL ServerYou must uninstall SQL ServerSQL Server before you change the host computer to a domain member.

  • SQL ServerSQL Server 容錯移轉叢集執行個體。failover cluster instances are not supported where cluster nodes are domain controllers.

  • SQL ServerSQL Server 安裝程式無法在唯讀的網域控制站上建立安全性群組或提供 SQL ServerSQL Server 服務帳戶。Setup cannot create security groups or provision SQL ServerSQL Server service accounts on a read-only domain controller. 在此狀況中,安裝程式將會失敗。In this scenario, Setup will fail.

安裝時或安裝後 SQL ServerSQL ServerDuring or After Installation of SQL ServerSQL Server

安裝之後,您可以遵照關於帳戶和驗證模式的這些最佳做法,來加強 SQL ServerSQL Server 安裝的安全性:After installation, you can enhance the security of the SQL ServerSQL Server installation by following these best practices regarding accounts and authentication modes:

服務帳戶Service accounts

  • 使用可能的最低權限來執行 SQL ServerSQL Server 服務。Run SQL ServerSQL Server services by using the lowest possible permissions.

  • SQL ServerSQL Server 服務與低權限的 Windows 本機使用者帳戶或網域使用者帳戶產生關聯。Associate SQL ServerSQL Server services with low privileged Windows local user accounts, or domain user accounts.

  • 如需詳細資訊,請參閱 設定 Windows 服務帳戶與權限預覽版本升級問題的解答。For more information, see Configure Windows Service Accounts and Permissions.

驗證模式Authentication mode

增強式密碼Strong passwords

  • sa 帳戶一律指派增強式密碼。Always assign a strong password to the sa account.

  • 一律啟用檢查密碼強度和逾期的密碼原則。Always enable password policy checking for password strength and expiration.

  • 對所有 SQL ServerSQL Server 登入一律使用增強式密碼。Always use strong passwords for all SQL ServerSQL Server logins.


SQL Server ExpressSQL Server Express 安裝期間會在 BUILTIN\Users 群組中加入一個登入。During setup of SQL Server ExpressSQL Server Express a login is added for the BUILTIN\Users group. 這個登入可讓電腦上所有經過驗證的使用者以 public 角色成員的身分存取 SQL Server ExpressSQL Server Express 執行個體。This allows all authenticated users of the computer to access the instance of SQL Server ExpressSQL Server Express as a member of the public role. BUILTIN\Users 登入可以安全地移除,藉此限制擁有個別登入或為其他擁有登入之 Windows 群組成員的電腦使用者對 Database EngineDatabase Engine 的存取。The BUILTIN\Users login can be safely removed to restrict Database EngineDatabase Engine access to computer users who have individual logins or are members of other Windows groups with logins.

另請參閱See Also

安裝 SQL Server 的硬體與軟體需求 Hardware and Software Requirements for Installing SQL Server
網路通訊協定和網路程式庫 Network Protocols and Network Libraries
註冊 Kerberos 連接的服務主體名稱Register a Service Principal Name for Kerberos Connections