Hardening Microsoft SQL Server Installations

Owned by Benjamin.Walther
Last updated: Jun 18, 2012 by Rebecca.DeweyVersion comment

On the Host OS:

  1. Disable non-essential services.
    Turn them off and disable automatic startup via the Computer Mangement -> Services controls. Example services to disable include Print Spooler and Windows Search. The full list will depend on your application's needs.
  2. Ensure the server password policy, firewall rules, account lock-out policies, logging and auditing, antivirus, and system patches are in place and configured properly.
  3. Assess the security of the network, server, and application via standard security scans (Nessus, AppScan, etc).

On SQL Server:

  1. Ensure that all SQL Server patches are in place, particularly SQL Server 2008 R2 SP1.
  2. Disable OLE Automation Procedures, which would allow SQL to interact with other Windows COM objects. See the Microsoft Documentation on OLE Automation Procedure Options.
  3. Disable CLR Integration, which allows non-declarative queries. See the Microsoft Documentation on CLR Integration Options.
  4. Disable Ad Hoc Distributed Queries. Relevant Documentation.
  5. Disable xp_cmdshell. Relevant Documentation.
  6. Change the default listening ports for accessing the database. This will reduce the effectiveness of blind port-scanning, service identification, and brute-force attacks. The default listening ports are 1433 for the Database Engine, and 1434 for the SQL Server Browse; change them to another value under 10,000 that is not reserved for an existing service.
  7. Install SSL certifications. If you have not purchased a signed certificate registered with Tufts University, you may create self-signed certificates and manually import them into any devices that need to connect to the database.
  8. Schedule and monitor regular data integrity checks. Verify that there is no data corruption; if there is, you may need to roll back the database to a backup or manually repair records.
  9. Disable SA login, or rename it and change the password. Relevant queries:
    ALTER LOGIN [guardit:sa] DISABLE;
    or
    ALTER LOGIN sa WITH NAME = [guardit:sysadminrenamed];
  10. Encrypt the database at the file system, database, or cell level, as determined by the sensitivity of the data you will maintain. Relevant Documentation.
  11. Apply password policies to the SQL Account and Windows Account logins.
    SQL Server: Via Management Studio, navigate to the Security > Logins > Properties window, choose "General" and select the "Enforce password policy" checkbox.
    Windows Accounts: these are managed by the domain or group policy (GPO).
  12. If possible, keep the database and application on separate servers. In the case that the application server is compromised, this reduces the likelihood of the entire database being compromised.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.