SQL Server should be
hardened after the installation.
After the
installation, use the SQL Server Configuration Manager tool in order to disable
unnecessary features and services.
· Install only required
components.
· Recent service packs
and critical fixes should be installed for SQL Server and Windows.
· Windows Authentication
mode is more secure than SQL Authentication.
· If there is still a
need to use SQL Authentication – enforce strong password policy.
· Disable the SA account
and rename it. Do not use this account for SQL server management.
· Change default SQL
Server ports associated with the SQL Server installation to keep hackers from
port scanning the server.
· Change the service
account password at regular intervals
· Hide SQL Server
instances or disable the SQL Server Browser service.
· Remove
BUILDIN\Administrators group from the SQL Server Logins.
· Enable logging SQL
Server login attempts (failed & successful).
· Disable the SQL guest
account.
· Disable xp_cmdshell
unless it is absolutely needed.
· Block TCP port 1433
and UDP port 1434 at the firewall except for when the Administration & Data
Server is not in the same security zone as the Logger.
· Change the recovery
actions of the Microsoft SQL Server service to restart after a failure.
· Remove all sample
databases, for example, Pubs and Northwind.
· Enable auditing for
failed logins
· Enable both Named
Pipes and TCP/IP endpoints during SQL Server 2008 R2 setup. Make sure Named
Pipes has a higher order of priority than TCP/IP.
· Not all schemas should
be owned by dbo.
· Enable automatic
updates whenever feasible but test them before applying to production systems.
No comments:
Post a Comment