Harden SQL Server for SharePoint environments (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

This article describes how to harden Microsoft SQL Server for Microsoft SharePoint 2010 Products environments.

In this article:

  • Summary of hardening recommendations

  • Configure a SQL Server instance to listen on a non-default port

  • Block default SQL Server listening ports

  • Configure Windows Firewall to open manually assigned ports

  • Configure a SQL client alias

  • Test the SQL client alias

Summary of hardening recommendations

For secure server farm environments, the recommendation is to do the following:

  • Block UDP port 1434.

  • Configure named instances of SQL Server to listen on a nonstandard port (other than TCP port 1433 or UDP port 1434).

  • For additional security, block TCP port 1433 and reassign the port that is used by the default instance to a different port.

  • Configure SQL Server client aliases on all front-end Web servers and application servers in the server farm. After you block TCP port 1433 or UDP port 1434, SQL Server client aliases are necessary on all computers that communicate with the computer running SQL Server.

For more information about these recommendations, see Plan security hardening (SharePoint Server 2010).

Configure a SQL Server instance to listen on a non-default port

Use SQL Server Configuration Manager to change the TCP port that is used by an instance of SQL Server.

  1. On the computer running SQL Server, open SQL Server Configuration Manager.

  2. In the left pane, expand SQL Server Network Configuration.

  3. Click the corresponding entry for the instance that you are configuring. The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance.

  4. In the right pane, right-click TCP/IP, and then click Properties.

  5. Click the IP Addresses tab. For every IP address that is assigned to the computer running SQL Server, there is a corresponding entry on this tab. By default, SQL Server listens on all IP addresses that are assigned to the computer.

  6. To globally change the port that the default instance is listening on, follow these steps:

    1. For each IP address except IPAll, clear all values for both TCP dynamic ports and TCP Port.

    2. For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  7. To globally change the port that a named instance is listening on, perform the following steps:

    1. For each IP address including IPAll, clear all values for TCP dynamic ports. A value of 0 for this field indicates that SQL Server uses a dynamic TCP port for the IP address. A blank entry for this value means that SQL Server will not use a dynamic TCP port for the IP address.

    2. For each IP address except IPAll, clear all values for TCP Port.

    3. For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000.

  8. Click OK. You will receive a message indicating that the change will not take effect until the SQL Server service is restarted. Click OK.

  9. Close SQL Server Configuration Manager.

  10. Restart the SQL Server service and confirm that the computer running SQL Server is listening on the port that you selected. You can confirm this by looking in the event viewer log after restarting the SQL Server service. Look for an information event similar to the following event:

    Event Type:Information

    Event Source:MSSQL$MSSQLSERVER

    Event Category:(2)

    Event ID:26022

    Date:3/6/2008

    Time:1:46:11 PM

    User:N/A

    Computer:computer_name

    Description:

    Server is listening on [ 'any' <ipv4>50000]

Block default SQL Server listening ports

Windows Firewall with Advanced Security uses Inbound Rules and Outbound Rules to secure incoming and outgoing network traffic. Because Windows Firewall blocks all incoming unsolicited network traffic by default, you do not have to explicitly block the default SQL Server listening ports. For more information, see Windows Firewall with Advanced Security (https://go.microsoft.com/fwlink/p/?LinkId=214109) and Configuring the Windows Firewall to Allow SQL Server Access (https://go.microsoft.com/fwlink/p/?LinkId=210584)

Configure Windows Firewall to open manually assigned ports

  1. In Control Panel, open System and Security.

  2. Click Windows Firewall, and then click Advanced Settings to open the Windows Firewall with Advanced Security dialog box.

  3. In the navigation pane, click Inbound Rules to display the available options in the Actions pane.

  4. Click New Rule to open the New Inbound Rule Wizard.

  5. Use the wizard to complete the steps that are required to allow access to the port that you defined in Configure a SQL Server instance to listen on a non-default port.

Note

You can configure the Internet Protocol security (IPsec) to help secure communication to and from your computer that is running SQL Server by configuring the Windows firewall. You do this by selecting Connection Security Rules in the navigation pane of the Windows Firewall with Advanced Security dialog box.

Configure a SQL Server client alias

If you block UDP port 1434 or TCP port 1433 on the computer running SQL Server, you must create a SQL Server client alias on all other computers in the server farm. You can use SQL Server client components to create a SQL Server client alias for computers that connect to SQL Server.

  1. Run Setup for SQL Server on the target computer, and select the following client components to install:

    1. Connectivity Components

    2. Management Tools

  2. Open SQL Server Configuration Manager.

  3. In the left pane, click SQL Native Client Configuration.

  4. In the right pane, right-click Aliases, and select New Alias.

  5. In the Alias dialog box, enter a name for the alias and then enter the port number for the database instance. For example, enter SharePoint_alias.

  6. In the Port No field, enter the port number for the database instance. For example, enter 40000. Ensure that the protocol is set to TCP/IP.

  7. In the Server field, enter the name of the computer running SQL Server.

  8. Click Apply, and then click OK.

Test the SQL Server client alias

Test connectivity to the computer running SQL Server by using Microsoft SQL Server Management Studio, which is available by installing SQL Server client components.

  1. Open SQL Server Management Studio.

  2. When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL Server Management Studio is populated with objects that correspond to the remote database.

    Note

    To check connectivity to additional database instances from within SQL Server Management Studio, click Connect, and then click Database Engine.