Better SQL Server Security

Security continues to be one of the hottest topics in IT. The Internet and protocols such as Simple Object Access Protocol (SOAP) and XML have driven constant-connection computing to new levels. And as new technologies make your systems more accessible, the threat from viruses and intruders has never been greater. Here are seven steps to setting up better security for your SQL Server systems.

7. Establish Physical Security

Physical security means that your SQL Server system is running in a controlled-access environment in which only approved personnel have physical access to the system. If you don't have physical security, you don't have a secure system.

6. Give SA a Strong Password

You must ensure that the sa account has a strong password. If your SQL Server sa account isn't password-protected or uses a weak password such as "password," your system and possibly your entire network are easy prey for intruders.

5. Strengthen Your Firewall

To stop direct Internet access to your SQL Server system, block TCP port 1433 and UDP port 1434 at your firewall. Also, block any other ports you're using (e.g., for multiple instances). This one action would have stopped the SQL Slammer worm.

4. Enable Windows Authentication

Windows authentication provides stronger cross-network security than the mixed SQL Server security model. With Windows authentication, you don't need to embed logins and passwords in the application code where intruders can find them. Windows authentication also helps prevent Internet intrusions by allowing access only to domain accounts.

3. Limit Special Accounts' Rights

Set up special accounts, such as MSSQLServer and SQL Agent, to run as Windows domain users with regular user privileges, not as administrators. Many exploits target these accounts, so your network's at risk if these services have more authority than necessary. When you're setting up security, remember the principle of least privileges: Don't assign more rights than any account or service needs. If you don't need SQL Agent, reduce your attack surface by not running it.

2. Apply SP3a

The newest service packs always include the latest security fixes. Network intrusions often originate well after known problems and fixes are published. However, when creating exploits, crackers count on many organizations never applying the fixes.

1. Run a Security Analyzer

Several tools, such as Microsoft Baseline Security Analyzer, scan your network and servers for known security exposures, including those I've mentioned here. The tool you use isn't important, but instituting a regular routine of scanning for security problems and fixing them before someone else finds them is.