locked
Securing SQL Server 2005 Express RRS feed

  • Question

  • Hello,

     

    I developed a small desktop system using SQL Server 2005 Express as the data backend. The machine that hosts SQL Server 2005 Express, as well as all the workstations that interact with it, belong to the same private LAN segment. All of them have non-public IP addresses from class 192.168.0... which means they're not directly visible from the outside world, despite having internet access through a router that does NAT. As we all know this is the typical scenario for sharing internet access in a small LAN.

    Now, my concern is with the security of the host running SQL Server 2005 Express. In particular, what measures do I have to implement to minimize the risk that may come from the public internet ? It's naive to think that because the potential attack surface is NATted behind a router, security is guaranteed and data theft or DoS attacks won't simply happen.
    What are the guidelines for securing SQL Server 2005 Express in a scenario like this ?
    (Side note: SQL Server 2005 Express is running on Windows XP Pro)

     

    Thanks.

    Fernando

     

    Wednesday, March 19, 2008 9:29 PM

Answers

  • Hello Fernando,

    Refer this link which describes about Securing Sql Server Express Edition. It provides general guidelines for securing Sql Server Express.

    - Deepak
    Thursday, March 20, 2008 1:24 AM
  • Since SQLEXPRESS is a named instance, my recommendation to you might be to turn off dynamic port allocation, and force the SQL Express instance to run on a non-standard port like 1501 or 4855.  Then ensure that your firewall blocks all inbound traffic on this port.  Turn off your SQL Browser, and then each client run the client configuration tool (cliconfg) to create an alias that maps the servername to the servername,port as a TCP/IP connection.

     

    This creates more management work for adding a computer to the workstation if it needs to talk to SQL Express though.  You also want to follow general best practices, like minimizing the surface area of SQL by not enabling any of the features not required.  Also maintain a strong SA Password, and run SQL under a low priviledge user account that is not Local System or Network Service.

    Thursday, March 20, 2008 1:30 AM

All replies

  • Hello Fernando,

    Refer this link which describes about Securing Sql Server Express Edition. It provides general guidelines for securing Sql Server Express.

    - Deepak
    Thursday, March 20, 2008 1:24 AM
  • Since SQLEXPRESS is a named instance, my recommendation to you might be to turn off dynamic port allocation, and force the SQL Express instance to run on a non-standard port like 1501 or 4855.  Then ensure that your firewall blocks all inbound traffic on this port.  Turn off your SQL Browser, and then each client run the client configuration tool (cliconfg) to create an alias that maps the servername to the servername,port as a TCP/IP connection.

     

    This creates more management work for adding a computer to the workstation if it needs to talk to SQL Express though.  You also want to follow general best practices, like minimizing the surface area of SQL by not enabling any of the features not required.  Also maintain a strong SA Password, and run SQL under a low priviledge user account that is not Local System or Network Service.

    Thursday, March 20, 2008 1:30 AM
  • I was posting at the same time as Deepak.  You should likely pay attention to that document first, then build upon it with recommendations in my post to further secure the instance.

    Thursday, March 20, 2008 1:33 AM
  • Thanks,

     

    Fernando

     

    Thursday, March 20, 2008 1:57 PM