Return to PatternsAndPracticesSecurityWiki

---

SQL Server 2000 Security Checklist

Note: See online on MSDN: http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_SecDBSe.asp

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

June 2003

Installation Considerations for Production Servers

* Upgrade tools, debug symbols, replication support, books online, and development tools are not installed on the production server.
* Microsoft ® SQL Server™ is not installed on a domain controller.
* SQL Server Agent is not installed if it is not being used by any application.
* SQL Server is installed on a dedicated database server.
* SQL Server is installed on an NTFS partition.
* Windows Authentication mode is selected unless SQL Server Authentication is specifically required, in which case Mixed Mode is selected.
* A strong password is applied for the sa account or any other member of the sysadmin role. (Use strong passwords for all accounts.)
* The database server is physically secured.

Patches and Updates

* The latest service packs and patches have been applied for SQL Server. (See http://support.microsoft.com/default.aspx?scid=kb;EN-US;290211.)
* Post service-pack patches have been applied for SQL server. (See http://www.microsoft.com/technet/security/current.asp?productid=30&servicepackid=0.)

Services

* Unnecessary Microsoft Windows® services are disabled on the database server.
* All optional services, including Microsoft Search Service, MSSQLServerADHelper, and SQLServerAgent, are disabled if not used by any applications.
* The Microsoft Distributed Transaction Coordinator (MS DTC) is disabled if it is not being used by any applications.
* A least-privileged local/domain account is used to run the various SQL Server services, for example, back up and replication.

Protocols

* All protocols except TCP/IP are disabled within SQL Server. Check this using the Server Network Utility.
* The TCP/IP stack is hardened on the database server.

Accounts

* SQL Server is running using a least-privileged local account (or optionally, a least-privileged domain account if network services are required).
* Unused accounts are removed from Windows and SQL Server.
* The Windows guest account is disabled.
* The administrator account is renamed and has a strong password.
* Strong password policy is enforced.
* Remote logons are restricted.
* Null sessions (anonymous logons) are restricted.
* Approval is required for account delegation.
* Shared accounts are not used.
* Membership of the local administrators group is restricted (ideally, no more than two administration accounts).

Files and Directories

* Restrictive permissions are configured on SQL Server installation directories (per the guide).
* The Everyone group does not have permission to access SQL Server installation directories.
* Setup log files are secured.
* Tools, utilities, and SDKs are removed or secured.
* Sensitive data files are encrypted using EFS (This is an optional step. If implemented, use EFS only to encrypt MDF files, not LDF log files).

Shares

* All unnecessary shares are removed from the server.
* Access to required shares is restricted (the Everyone group doesn't have access).
* Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).

Ports

* Restrict access to all ports on the server except the ports configured for SQL Server and database instances (TCP 1433 and UDP 1434 by default).
* Named instances are configured to listen on the same port.
* Port 3389 is secured using IPSec if it is left open for remote Terminal Services administration
* The firewall is configured to support DTC traffic (if required by the application).
* The Hide server option is selected in the Server Network Utility (optional).

Registry

* SQL Server registry keys are secured with restricted permissions.
* The SAM is secured (standalone servers only).

Auditing and Logging

* All failed Windows login attempts are logged.
* All failed actions are logged across the file system.
* SQL Server login auditing is enabled.
* Log files are relocated from the default location and secured with access control lists.
* Log files are configured with an appropriate size depending on the application security requirement.
* Where the database contents are highly sensitive or vital, Windows is set to Shut Down mode on overflow of the security logs.

SQL Server Security

* SQL Server authentication is set to Windows only (if supported by the application).
* The SQL Server audit level is set to Failure or All.
* SQL Server runs using a least-privileged account.

SQL Server Logins, Users, and Roles

* A strong sa password is used (for all accounts).
* SQL Server guest user accounts are removed.
* BUILTIN\Administrators server login is removed.
* Permissions are not granted for the public role.
* Members of sysadmin fixed server role are limited (ideally, no more than two users).
* Restricted database permissions are granted. Use of built-in roles, such as dbdatareader and dbdatawriter, are avoided because they provide limited authorization granularity.
* Default permissions that are applied to SQL Server objects are not altered.

SQL Server Database Objects

* Sample databases (including Pubs and Northwind) are removed.
* Stored procedures and extended stored procedures are secured.
* Access to cmdExec is restricted to members of the sysadmin role.

Additional Considerations

* A certificate is installed on the database server to support SSL communication and the automatic encryption of SQL account credentials (optional).
* NTLM version 2 is enabled by setting LMCompatibilityLevel to 5.

Staying Secure

* Regular backups are performed.
* Group membership is audited.
* Audit logs are regularly monitored.
* Security assessments are regularly performed.
* You subscribe to SQL security bulletins at http://www.microsoft.com/technet/security/current.asp?productid=30&servicepackid=0.
* You subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp.

---

Return to SecurityChecklists