Understanding Surface Area Configuration

In the default configuration of new installations of SQL Server, many features are not enabled. SQL Server selectively installs and starts only key services and features, to minimize the number of features that can be attacked by a malicious user. A system administrator can change these defaults at installation time and also selectively enable or disable features of a running instance of SQL Server. Additionally, some components may not be available when connecting from other computers until protocols are configured.

Note

Unlike new installations, no existing services or features are turned off during an upgrade, but additional surface area configuration options can be applied after the upgrade is completed.

Protocols, Connection, and Startup Options

Use SQL Server Configuration Manager to start and stop services, configure the startup options, and enable protocols and other connection options.

To start SQL Server Configuration Manager

  • On the Start menu, point to All Programs, point to Microsoft SQL Server 2008, point to Configuration Tools, and then click SQL Server Configuration Manager.

    • Use the SQL Server Services area to start components and configure the automatic starting options.

    • Use the SQL Server Network Configuration area to enable connection protocols, and connection options such as fixed TCP/IP ports, or forcing encryption.

For more information, see SQL Server Configuration Manager. Remote connectivity can also depend upon the correct configuration of a firewall. For more information, see Configuring the Windows Firewall to Allow SQL Server Access.

Enabling and Disabling Features

Enabling and disabling SQL Server features can be configured using facets in SQL Server Management Studio.

To configure surface area using facets

  1. In Management Studio connect to a component of SQL Server.

  2. In Object Explorer, right-click the server, and then click Facets.

  3. In the View Facets dialog box, expand the Facet list, and select the appropriate Surface Area Configuration facet (Surface Area Configuration, Surface Area Configuration for Analysis Services, or Surface Area Configuration for Reporting Services).

  4. In the Facet properties area, select the values that you want for each property.

  5. Click OK.

To periodically check the configuration of a facet, use Policy-Based Management. For more information about Policy-Based Management, see Administering Servers by Using Policy-Based Management.

You can also set Database Engine options using the sp_configure stored procedure. For more information, see Setting Server Configuration Options.

To change the EnableIntegrated Security property of SSRS, use the property settings in SQL Server Management Studio. To change the Schedule events and report delivery property and the Web service and HTTP access property, edit the RSReportServer.config configuration file.

Command-prompt Options

Use the Invoke-PolicyEvaluationSQL Server PowerShell cmdlet to invoke Surface Area Configuration Policies. For more information, see Using the SQL Server cmdlets and How to: Enable or Disable a Server Network Protocol (SQL Server PowerShell).

SOAP and Service Broker Endpoints

To turn endpoints off, use Policy-Based Management. To create and alter the properties of endpoints, use CREATE ENDPOINT (Transact-SQL) and ALTER ENDPOINT (Transact-SQL).