設定 SharePoint Server 的 SQL Server 安全性Configure SQL Server security for SharePoint Server

摘要: 了解如何改善 SharePoint Server 2016 和 SharePoint 2013 環境中的 SQL Server 安全性。Summary: Learn how to improve the security of SQL Server for SharePoint Server 2016 and SharePoint 2013 environments.

安裝 SQL Server 時,預設設定即可提供安全的資料庫。此外,您可以使用 SQL Server 工具和 Windows 防火牆,為 SharePoint Server 環境的 SQL Server 增加額外的安全性。When you install SQL Server, the default settings help to provide a safe database. In addition, you can use SQL Server tools and Windows Firewall to add additional security to SQL Server for SharePoint Server environments.

重要

[!重要事項] 本主題中的安全性步驟已由 SharePoint 小組全面測試。還有其他方式可協助保護 SharePoint Server 伺服器陣列中的 SQL Server。如需詳細資訊,請參閱保護 SQL Server 以及 保護 SharePoint:強化 SharePoint 環境中的 SQL ServerThe security steps in this topic are fully tested by the SharePoint team. There are other ways to help secure SQL Server in a SharePoint Server farm. For more information, see Securing SQL Server and Securing SharePoint: Harden SQL Server in SharePoint Environments.

開始之前Before you begin

開始這項作業之前,請檢閱下列有關如何保護伺服器陣列安全的工作:Before you begin this operation, review the following tasks about how to secure your server farm:

  • 封鎖 UDP 連接埠 1434。Block UDP port 1434.

  • 將 SQL Server 的具名執行個體設定為在非標準的連接埠上接聽 (TCP 連接埠 1433 或 UDP 連接埠 1434 以外的連接埠)。Configure named instances of SQL Server to listen on a nonstandard port (other than TCP port 1433 or UDP port 1434).

  • 若要再提高其安全性,請封鎖 TCP 連接埠 1433,並將預設執行個體使用的連接埠重新指定為不同的連接埠。For additional security, block TCP port 1433 and reassign the port that is used by the default instance to a different port.

  • 在伺服器陣列中的所有前端網頁伺服器和應用程式伺服器上,設定 SQL Server 用戶端別名。在您封鎖 TCP 連接埠 1433 或 UDP 連接埠 1434 之後,要與執行 SQL Server 的電腦通訊的所有電腦都必須使用 SQL Server 用戶端別名。Configure SQL Server client aliases on all front-end web servers and application servers in the server farm. After you block TCP port 1433 or UDP port 1434, SQL Server client aliases are necessary on all computers that communicate with the computer that is running SQL Server.

設定 SQL Server 執行個體接聽非預設連接埠Configuring a SQL Server instance to listen on a non-default port

SQL Server 可讓您重新指派預設執行個體和任何具名執行個體所使用的連接埠。在 SQL Server Service Pack 1 (SP1) 中,您可以使用 SQL Server Configuration Manager 重新指派 TCP 連接埠。當您變更預設連接埠時,可防止知道預設指派的駭客利用這點來攻擊 SharePoint 環境,因此可讓環境更安全。SQL Server provides the ability to reassign the ports that are used by the default instance and any named instances. In SQL Server Service Pack 1 (SP1), you reassign the TCP port by using SQL Server Configuration Manager. When you change the default ports, you make the environment more secure against hackers who know default assignments and use them to exploit your SharePoint environment.

設定 SQL Server 執行個體接聽非預設連接埠To configure a SQL Server instance to listen on a non-default port

  1. 確認執行此程序的使用者帳戶是 sysadmin 或 serveradmin 固定伺服器角色的成員。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. 在執行 SQL Server 的電腦上,開啟 SQL Server Configuration Manager。On the computer that is running SQL Server, open SQL Server Configuration Manager.

  3. 在功能窗格] 中展開 [ SQL Server 網路組態]。In the navigation pane, expand SQL Server Network Configuration.

  4. 按一下所設定之執行個體的對應項目。Click the corresponding entry for the instance that you are configuring.

    預設的執行個體已列為MSSQLSERVER 的通訊協定。具名執行個體將會顯示為named_instance 的通訊協定The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance.

  5. 在 [通訊協定名稱] 欄中主視窗中,以滑鼠右鍵按一下 [ TCP/IP],和 [屬性In the main window in the Protocol Name column, right-click TCP/IP, and then click Properties.

  6. 按一下 [ IP 位址] 索引標籤。Click the IP Addresses tab.

    每個指派給執行 SQL Server 之電腦的 IP 位址,在此索引標籤上都有對應的項目。SQL Server 預設會接聽指派給電腦的所有 IP 位址。For every IP address that is assigned to the computer that is running SQL Server, there is a corresponding entry on this tab. By default, SQL Server listens on all IP addresses that are assigned to the computer.

  7. 若要全域變更預設執行個體所接聽的連接埠,請執行下列步驟:To globally change the port that the default instance is listening on, follow these steps:

    • 針對 [IPAll] 以外的每個 IP 位址,清除 [ TCP 動態連接埠] 及 [ TCP 連接埠的所有值。For each IP address except IPAll, clear all values for both TCP dynamic ports and TCP Port.

    • 針對 [ipall] 以外,清除 [ TCP 動態連接埠值。在 [ TCP 連接埠] 欄位中輸入要接聽的 SQL Server 執行個體的連接埠。例如,輸入 40000。For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  8. 若要全域變更具名執行個體所接聽的連接埠,請執行下列步驟:To globally change the port that a named instance is listening on, follow these steps:

    • 針對包括 [ipall] 以外的每個 IP 位址,清除所有值的TCP 動態連接埠。請讓此欄位 0 的值會指出 SQL Server 的 IP 位址使用動態的 TCP 連接埠。空白項目,此值表示 SQL Server 將會不使用動態的 TCP 連接埠的 IP 位址。For each IP address including IPAll, clear all values for TCP dynamic ports. A value of 0 for this field indicates that SQL Server uses a dynamic TCP port for the IP address. A blank entry for this value means that SQL Server will not use a dynamic TCP port for the IP address.

    • 針對 [IPAll] 以外的每個 IP 位址,清除所有值的TCP 連接埠For each IP address except IPAll, clear all values for TCP Port.

    • 針對 [ipall] 以外,清除 [ TCP 動態連接埠值。在 [ TCP 連接埠] 欄位中輸入要接聽的 SQL Server 執行個體的連接埠。例如,輸入 40000。For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  9. 按一下 [確定]*Click *OK.

    訊息會指出該變更將等到才會生效重新啟動 SQL Server 服務。按一下 [確定]A message indicates that the change will not take effect until the SQL Server service is restarted. Click OK.

  10. 關閉 SQL Server Configuration Manager。Close SQL Server Configuration Manager.

  11. 重新啟動 SQL Server 服務,並確認執行 SQL Server 的電腦正在接聽您選取的連接埠。Restart the SQL Server service and confirm that the computer that is running SQL Server is listening on the port that you selected.

    您可以在重新啟動 SQL Server 服務之後查看事件檢視器記錄來進行確認。請尋找與下列事件類似的資訊事件:You can confirm this by looking in the Event Viewer log after you restart the SQL Server service. Look for an information event similar to the following event:

    事件類型:資訊Event Type:Information

    事件來源:MSSQL$MSSQLSERVEREvent Source:MSSQL$MSSQLSERVER

    事件類別:(2)Event Category:(2)

    事件識別碼:26022Event ID:26022

    日期:3/6/2008Date:3/6/2008

    時間:下午 1:46:11Time:1:46:11 PM

    使用者:無User:N/A

    電腦: 電腦名稱Computer: computer_name

    描述:Description:

    伺服器正在 [ 'any' <ipv4>50000] 上接聽Server is listening on [ 'any' <ipv4>50000]

  12. 驗證: 選擇性地包含使用者驗證作業是否成功應執行的步驟。Verification: Optionally, include steps that users should perform to verify that the operation was successful.

封鎖預設 SQL Server 接聽連接埠Blocking default SQL Server listening ports

具有進階安全性的 Windows 防火牆使用輸入規則和輸出規則,來協助保護連入及連出網路流量的安全。因為 Windows 防火牆預設會封鎖所有來路不明的連入網路流量,所以您不需要明確封鎖預設 SQL Server 接聽連接埠。如需詳細資訊,請參閱具有進階安全性的 Windows 防火牆設定 Windows 防火牆以允許 SQL Server 存取Windows Firewall with Advanced Security uses Inbound Rules and Outbound Rules to help secure incoming and outgoing network traffic. Because Windows Firewall blocks all incoming unsolicited network traffic by default, you do not have to explicitly block the default SQL Server listening ports. For more information, see Windows Firewall with Advanced Security and Configuring the Windows Firewall to Allow SQL Server Access.

將 Windows 防火牆設定為開啟手動指派的連接埠Configuring Windows Firewall to open manually assigned ports

若要透過防火牆存取 SQL Server 執行個體,您必須將執行 SQL Server 之電腦的防火牆設定為允許存取,且必須在 Windows 防火牆中開啟手動指定的所有連接埠。To access a SQL Server instance through a firewall, you must configure the firewall on the computer that is running SQL Server to allow access. Any ports that you manually assign must be open in Windows Firewall.

將 Windows 防火牆設定為開啟手動指派的連接埠To configure Windows Firewall to open manually assigned ports

  1. 確認執行此程序的使用者帳戶是 sysadmin 或 serveradmin 固定伺服器角色的成員。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. [控制台],開啟 [系統及安全性In Control Panel, open System and Security.

  3. [ Windows 防火牆] 和 [進階設定] 開啟 [具有進階安全性的 Windows 防火牆] 對話方塊。Click Windows Firewall, and then click Advanced Settings to open the Windows Firewall with Advanced Security dialog box.

  4. 在功能窗格中按一下 [輸入規則以在 [動作] 窗格中顯示可用的選項。In the navigation pane, click Inbound Rules to display the available options in the Actions pane.

  5. 按一下 [新增規則] 開啟新增輸入規則精靈]Click New Rule to open the New Inbound Rule Wizard.

  6. 使用此精靈,完成允許存取<設定 SQL Server 執行個體接聽非預設連接埠>中所定義連接埠的必要步驟。Use the wizard to complete the steps that are required to allow access to the port that you defined in Configuring a SQL Server instance to listen on a non-default port.

    注意

    您可以藉由設定 Windows 防火牆設定網際網路通訊協定安全性 (IPsec) 可協助保護通訊到與您在執行 SQL Server 的電腦。您這麼做藉由選取 [具有進階安全性] 對話方塊的 Windows 防火牆的功能窗格中的 [連線安全性規則You can configure the Internet Protocol security (IPsec) to help secure communication to and from your computer that is running SQL Server by configuring the Windows firewall. You do this by selecting Connection Security Rules in the navigation pane of the Windows Firewall with Advanced Security dialog box.

設定 SQL Server 用戶端別名Configuring SQL Server client aliases

若在執行 SQL Server 的電腦上封鎖 UDP 連接埠 1434 或 TCP 連接埠 1433,則必須在伺服器陣列中的所有其他電腦上建立 SQL Server 用戶端別名。您可以使用 SQL Server 用戶端元件,為連線至 SQL Server 的電腦建立 SQL Server 用戶端別名。If you block UDP port 1434 or TCP port 1433 on the computer that is running SQL Server, you must create a SQL Server client alias on all other computers in the server farm. You can use SQL Server client components to create a SQL Server client alias for computers that connect to SQL Server.

設定 SQL Server 用戶端別名To configure a SQL Server client alias

  1. 確認執行此程序的使用者帳戶是 sysadmin 或 serveradmin 固定伺服器角色的成員。Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. 在目標電腦上執行 SQL Server 的安裝程式,並安裝下列用戶端元件:Run Setup for SQL Server on the target computer, and install the following client components:

    • 連接元件Connectivity Components

    • 管理工具Management Tools

  3. 開啟 SQL Server Configuration Manager。Open SQL Server Configuration Manager.

  4. 在功能窗格] 中按一下 [ SQL Native Client 組態]。In the navigation pane, click SQL Native Client Configuration.

  5. 在 [項目主視窗中,以滑鼠右鍵按一下 [別名],並選取 [新增別名In the main window under Items, right-click Aliases, and select New Alias.

  6. 在 [別名-新項目] 對話方塊中 [別名名稱] 欄位中輸入別名的名稱。例如,輸入 SharePoint _別名In the Alias - New dialog box, in the Alias Name field, enter a name for the alias. For example, enter SharePoint _alias.

  7. 在 [連接埠否] 欄位中輸入的資料庫執行個體的連接埠號碼。例如,輸入 40000。請確定通訊協定設為 TCP/IP。In the Port No field, enter the port number for the database instance. For example, enter 40000. Make sure that the protocol is set to TCP/IP.

  8. 在 [伺服器] 欄位中,輸入執行 SQL Server 之電腦的名稱。In the Server field, enter the name of the computer that is running SQL Server.

  9. 按一下 [套用] 及 [確定]Click Apply, and then click OK.

  10. 驗證: 您可以使用安裝 SQL Server 用戶端元件隨附的 SQL Server Management Studio 測試 SQL Server 用戶端別名。Verification: You can test the SQL Server client alias by using SQL Server Management Studio, which is available when you install SQL Server client components.

  11. 開啟 SQL ServerManagement Studio。Open SQL ServerManagement Studio.

  12. 當系統提示您輸入伺服器名稱時,輸入您建立別名的名稱並再按一下 [連線。如果連線成功,SQL ServerManagement Studio 會填入對應到遠端資料庫物件。When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL ServerManagement Studio is populated with objects that correspond to the remote database.

  13. 若要從 SQL ServerManagement Studio 中檢查與其他資料庫執行個體連線,按一下 [連接] 和 [ Database EngineTo check connectivity to additional database instances from SQL ServerManagement Studio, click Connect, and then click Database Engine.

另請參閱See also

其他資源Other Resources

SQL Server 安全性部落格SQL Server Security Blog

SQL 弱點評估SQL Vulnerability Assessment

保護 SharePoint:強化 SharePoint 環境中的 SQL ServerSecuring SharePoint: Harden SQL Server in SharePoint Environments

設定用於 Database Engine 存取的 Windows 防火牆Configure a Windows Firewall for Database Engine Access

設定伺服器接聽特定 TCP 通訊埠 (SQL Server 組態管理員)Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)