locked
SQL Default Port can be changed or not for Security reason ?? RRS feed

  • Question

  • Hi,

    We are planning to configure DC-DR replication using either Log Shipping or Always-On using Windows STD 2016 and SQL ENT / STD 2016

    For Log Shipping 135 port is mandatory to copy files. This is known port. 

    From data security point of view.

    1. Whether it is possible to change 135 port to other TCP port and will that work. If yes than which port should I use for the 

    2. There are many other default ports used by SQL Server and Windows server and clustering (1433, 443, 445, 137, 138 etc). For security what are alternative ports which can used instead of default ports.

       
      Requesting you to please share Microsoft Link for the same.

    Thanks in advance

    Nikhil P Desai.




    Friday, April 21, 2017 7:12 AM

All replies

  • Hello Nikhil,

    Some ports are changeable, but why taking the efforts? A IP port scanner (https://en.wikipedia.org/wiki/Port_scanner) will still get them, when the external Access isn't blocked, it just take some more time, that's all.

    Better take more efforts to setup Firewall/DMZ security instead.


    Olaf Helper

    [ Blog] [ Xing] [ MVP]

    Friday, April 21, 2017 7:48 AM
  • Hi Nikhil P Desai,

    >>Whether it is possible to change 135 port to other TCP port and will that work. If yes than which port should I use for the 

    Port 135 is a well-known port that has multiple purposes(for example, RPC) so i wouldn't touch it. In fact, I wouldn’t touch any well-known port at all.

    >>There are many other default ports used by SQL Server and Windows server and clustering (1433, 443, 445, 137, 138 etc). For security what are alternative ports which can used instead of default ports.

    Theoretically non-default port should provide extra security but it only provides minimal security in real world, and causes too much trouble when managing your database system. I would suggest you review this blog to get a clear picture of it. 

    In addition, what you really need here is a site-to site VPN to secure the connections between your DR/DC site. That is something you should work with your network team.

    If you have any other questions, please let me know.

    Regards,
    Lin


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Monday, April 24, 2017 7:30 AM
  • Hi,

    Changing those ports will give you a false feeling of security.

    Anyone can identify SQL ports with network sniffers, and remember : there are only 64K ports available.

    I'd rather focus on securing the traffic between SQL Server and its clients.

    Monday, April 24, 2017 9:49 PM
  • There is a very practical reason for changing port assignments of SQL instance when there are multiple instances installed on a server, which is very common configuration in corporate environments.

    Each SQL instance must have it's own unique port assignment to distinguish it from the other instances for connectivity purposes.

    Otherwise, changing port assignment for SQL instance and other services does little from a security standpoint, as others have stated, other than maybe making it a bit harder for a malicious hacker to find SQL port to attack.

    If you want to improve database security, consider switching SQL authentication from 'mixed mode' to Windows only and implementing Kerberos authentication protocol instead of NTLM.

    HTH,


    Phil Streiff, MCDBA, MCITP, MCSA

    • Edited by philfactor Tuesday, April 25, 2017 1:21 PM
    Tuesday, April 25, 2017 1:16 PM