Microsoft SQL Database Asset Protection Standards:: Difference between revisions
Jump to navigation
Jump to search
(New page: ==SQL Administrator Checklist== Setting Up the Environment Prior to Installation ===Physical security=== * Ensure the physical security of your server. ===Firewalls=== * Put a firewal...) |
(No difference)
|
Revision as of 12:44, 8 May 2007
SQL Administrator Checklist
Setting Up the Environment Prior to Installation
Physical security
- Ensure the physical security of your server.
Firewalls
- Put a firewall between your server and the Internet.
- Always block TCP port 1433 and UDP port 1434 on your perimeter firewall. If named instances are listening on additional ports, block those too.
- In a multi-tier environment, use multiple firewalls to create screened subnets.
Isolation of services
- Isolate services to reduce the risk that a compromised service could be used to compromise others.
- Never install SQL Server on a domain controller.
- Run separate SQL Server services under separate Windows accounts.
- In a multi-tier environment, run Web logic and business logic on separate computers.
Service accounts
- Create Windows accounts with the lowest possible privileges for running SQL Server services.
File System
- Use NTFS.
- Use RAID for critical data files.
Installation
- Always install the latest service packs and security patches.
Service accounts
- Run SQL Server services with the lowest possible privileges.
- Use Enterprise Manager to associate services with Windows accounts.
Authentication mode
- Require Windows Authentication for connections to SQL Server.
Strong passwords
- Always assign a strong password to the sa account, even when using Windows Authentication.
- Always use strong passwords for all SQL Server accounts.
Configuration Options and Settings After Installation
Delete or secure old setup files
- Delete or archive the following files after installation: sqlstp.log, sqlsp.log, and setup.iss in the <systemdrive>:\Program Files\Microsoft SQL Server\MSSQL\Install folder for a default installation, and the <systemdrive>:\Program Files\Microsoft SQL Server\ MSSQL$<Instance Name>\Install folder for named instances.
- If the current system is an upgrade from SQL Server 7.0, delete the following files: setup.iss in the %Windir% folder, and sqlsp.log in the Windows Temp folder.
Choose static ports for named instances
- Assign static ports to named instances of SQL Server.