SQL Server Hardening

Hi, As DBA, its many time we have to faced Questions from Auditors or Clients where your SQL Server follow SQL Server Hardening best practices?, Here are some few as,

• During installation, Install only required components, When the SQL Server installation is complete, harden the SQL Server environment.
  
• After the installation, use the SQL Server Configuration Manager tool in order to disable unnecessary features and services.
  
• Install the most recent critical fixes and service packs for both Windows and SQL Server.
  
• When you’re selecting authentication modes, Windows Authentication is a more secure choice
  
• If there is still a need to use SQL Authentication – enforce strong password policy.
  
• Do not use the SA account for day-to-day administration, logging on to the server remotely, or having applications use it to connect to SQL. It is best if the SA account is disabled and renamed.
  
• Create a role-based security policy with the Security Configuration Wizard tool.
  
• Create policies with Policy Based Management enable/ disable unnecessary features and services.
  
• After the server has been hardened, periodically asses the server’s security using the MBSA (Microsoft Baseline Security Analyzer) and SQL Server BPA (Best Practices Analyzer).
  
• For production SQL Servers running mission-critical databases, either hide the instance or disable the SQL Server Browser service.
  
• Change the default ports associated with the SQL Server installation to put off hackers from port-scanning the server.
  
• Enable a firewall to filter unnecessary and unknown traffic.
  
• At the very least, set security auditing to failed login attempts; otherwise, both failed and successful logins should be captured and monitored.
  
• If upgrading previous versions of SQL Server, remove the BUILTIN/Administrators group from the SQL Server Logins.
  
• Use the IIS Lockdown and URL Scan tools to harden IIS.