The passion for becoming a professional DBA lead to the creation of this blog.
Lets start the first day with DBA's Best Practices to harden the sql server.
Summary of Best Practices
· SQL Server should be hardened after the installation.
· After the installation, use the SQL Server Configuration Manager tool in order to disable unnecessary features and services.
· Install only required components.
· Recent service packs and critical fixes should be installed for SQL Server and Windows.
· Windows Authentication mode is more secure than SQL Authentication.
· If there is still a need to use SQL Authentication – enforce strong password policy.
· Disable the SA account and rename it. Do not use this account for SQL server management.
· Change default SQL Server ports associated with the SQL Server installation to keep hackers from port scanning the server.
· Change the service account password at regular intervals
· Hide SQL Server instances or disable the SQL Server Browser service.
· Remove BUILDIN\Administrators group from the SQL Server Logins.
· Enable logging SQL Server login attempts (failed & successful).
· Disable the SQL guest account.
· Disable xp_cmdshell unless it is absolutely needed.
· Block TCP port 1433 and UDP port 1434 at the firewall except for when the Administration & Data Server is not in the same security zone as the Logger.
· Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
· Remove all sample databases, for example, Pubs and Northwind.
· Enable auditing for failed logins
· Enable both Named Pipes and TCP/IP endpoints during SQL Server 2008 R2 setup. Make sure Named Pipes has a higher order of priority than TCP/IP.
· Not all schemas should be owned by dbo.
· Enable automatic updates whenever feasible but test them before applying to production systems.
Appreciate your suggestions. Please comment your feedback and reach me out at email
SQL engineer, MCP