Minimize SQL Server 2008 Surface Area

SQL Server 2008 R2

Surface area reduction is a security measure that involves stopping or disabling unused components. Surface area reduction helps to improve security by providing fewer avenues for potential attacks on a system.

For new installations of SQL Server 2008, some features, services, and connections are disabled or stopped to reduce the SQL Server surface area. For upgraded installations, all features, services, and connections remain in their pre-upgrade state.

  • Use SQL Server Configuration Manager to enable, disable, start, or stop services and configure the remote connectivity of your Database Engine.
  • Use Policy-Based Management to enable and disable optional features.

Using SQL Server Configuration Manager

The SQL Server Configuration Manager is installed with all editions of SQL Server.

To open the SQL Server Configuration Manager
  1. On the Start menu, point to All Programs, point to Microsoft SQL Server 2008 R2, point to Configuration Tools, and then click SQL Server Configuration Manager.

To configure a service to start automatically
  1. In SQL Server Configuration Manager, expand SQL Server Services.

  2. In the details pane, right-click one of the SQL Server services, and then click Properties.

  3. In the Properties dialog box, set Start Mode to Automatic.

To configure the Database Engine to accept remote connections
  1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, and then click Protocols for <instancename>.

  2. In the details pane, right-click one of the available protocols, and then click Properties.

    Note:
    The shared memory protocol cannot be enabled for remote connections.

  3. To enable a protocol for remote connections, set the Enabled box to Yes.

For help with SQL Server Configuration Manager, view the SQL Server Configuration Manager help file, or see SQL Server Books Online. To configure SOAP and Service Broker endpoints, use CREATE ENDPOINT and ALTER ENDPOINT.

Using Policy-Based Management

Policy-Based Management is configured using SQL Server Management Studio. If Management Studio is not installed, run setup and install the client tools. Management Studio is not part of the installation of SQL Server Express. Download Management Studio Express from Microsoft.com. The features of Policy-Based Management are described in SQL Server Books Online.

To open the SQL Server Management Studio
  1. On the Start menu, point to All Programs, point to Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio.

To configure Policy-Based Management
  1. In Management Studio, connect to an instance of Database Engine, expand Management, and then expand Policy Management.

  2. Configure Policy-Based Management by using the following three facets:

    • Surface Area Configuration
    • Surface Area Configuration for Analysis Services
    • Surface Area Configuration for Reporting Services

    The surface area configuration features that are turned off by default should not be turned on unless they are required for a specific business need.

Recommended Settings:

  • Recommended settings for the Database Engine
    Set all properties of the Surface Area Configuration facet to false.
  • Recommended settings for Analysis Services
    Set all properties of the Surface Area Configuration for Analysis Services facet to false.
  • Recommended settings for Reporting Services
    Use the Surface Area Configuration for Reporting Services to disable any Reporting Services features that you do not need.

See Also