Hi, As DBA, its many time we have to faced Questions from Auditors or Clients where your SQL Server follow SQL Server Hardening best practices?, Here are some few as,
- During installation, Install only required components, When the SQL Server installation is complete, harden the SQL Server environment.
- After the installation, use the SQL Server Configuration Manager tool in order to disable unnecessary features and services.
- Install the most recent critical fixes and service packs for both Windows and SQL Server.
- When you’re selecting authentication modes, Windows Authentication is a more secure choice
- If there is still a need to use SQL Authentication – enforce strong password policy.
- Do not use the SA account for day-to-day administration, logging on to the server remotely, or having applications use it to connect to SQL. It is best if the SA account is disabled and renamed.
- Create a role-based security policy with the Security Configuration Wizard tool.
- Create policies with Policy Based Management enable/ disable unnecessary features and services.
- After the server has been hardened, periodically asses the server’s security using the MBSA (Microsoft Baseline Security Analyzer) and SQL Server BPA (Best Practices Analyzer).
- For production SQL Servers running mission-critical databases, either hide the instance or disable the SQL Server Browser service.
- Change the default ports associated with the SQL Server installation to put off hackers from port-scanning the server.
- Enable a firewall to filter unnecessary and unknown traffic.
- At the very least, set security auditing to failed login attempts; otherwise, both failed and successful logins should be captured and monitored.
-
If upgrading previous versions of SQL Server, remove the BUILTIN/Administrators group from the SQL Server Logins.
-
Use the IIS Lockdown and URL Scan tools to harden IIS.
WikiDBA 