Is use of Named Pipes with Extended Protection with Channel Binding considered secure? RRS feed

  • Question

  • Hi,

    I'm setting up some new servers (SQL Server 2012 Enterprise Edition on Windows Server 2008 R2 Enterprise Edition) which are supposed to be more secure because of the data being stored.  I was planning to use Extended Protection, both Service Binding and Channel Binding, but found that some of our infrastructure components couldn't connect with that configuration, apparently because the SQL Native Client is not in use.

    But I found something surprising -- if I enable the Named Pipes protocol, then I can successfully connect with forced encryption and Extended Protection required.  Nothing in the documentation I've found says that Named Pipes connections bypass Extended Protection, so my assumption is that Extended Protection is in fact doing what I want it to do for connections made via Named Pipes.  Can anyone confirm (or disprove) that?

    In general, would we consider the configuration I've described to be a good option?  The alternative would be to disable Extended Protection, disable the Named Pipes protocol, and make all connections via TCP.

    FWIW, we are currently opening port 445 to these servers in our firewall rules, so using Named Pipes would not require poking more holes in the firewall.

    Thanks in advance.


    Friday, April 26, 2013 4:56 PM

All replies

  • Hi Dave,

    Firstly enable Extended Protection on the server computer, then enable Extended Protection in SQL Server 2012. Please make sure you do the appropriate steps to enable it. After enable Extended Protection, we could not connect to the SQL Server instance whether Named Pipes is enabled or not.

    Named Pipes is a protocol developed for local area networks. A part of memory is used by one process to pass information to another process, so that the output of one is the input of the other. TCP/IP is a common protocol widely used over the Internet. It communicates across interconnected networks of computers that have diverse hardware architectures and various operating systems. TCP/IP includes standards for routing network traffic and offers advanced security features. It is your choice.

    Connecting to the Database Engine Using Extended Protection: http://msdn.microsoft.com/en-us/library/ff487261(v=SQL.105).aspx.


    Maggie Luo
    TechNet Community Support

    Wednesday, May 1, 2013 8:47 AM
  • Maggie,

    Thanks for your reply.  The first thing you mentioned is the need to enable Extended Protection at the OS level.  From what I understand, it is enabled by default on Windows Server 2008 R2 (and newer).  So I thought there was nothing to configure on the OS.  Can you confirm that, or could you please explain further what you think I might need to do?  I appreciate your help...


    Wednesday, May 1, 2013 2:01 PM