SMS 2003 SQL Server Hardening list
This checklist is based on the Snapshot of a Secure Database Server published by Microsoft at https://go.microsoft.com/fwlink/?LinkId=62377, but includes comments specific to SMS. Before implementing this checklist, test it thoroughly in your lab environment.
Checklist
Component |
Characteristics |
SMS notes |
|
|---|---|---|---|
Patches and Updates |
□ |
Latest service packs and patches are applied for Microsoft® Windows® 2000 and Microsoft SQL Server™ 2000 |
|
□ |
MBSA is run on a regular interval to check for latest operating system and components updates. |
You can also use the SMS software update feature to check for latest operating system and components updates. |
|
Services |
□ |
Nonessential services are disabled. |
|
□ |
The MSDTC is disabled if not used. |
This is used for installing the management point. It can be disabled after the installation is complete. |
|
□ |
The MSSearch service is disabled if not required. |
This is not used by SMS. |
|
□ |
The SQLServerAgent service is disabled if not required. |
This is used by SMS if you are using replicated SQL Server databases. |
|
□ |
The MSSQLServerADHelper service is disabled if not required. |
This is not used by SMS. |
|
Protocols |
□ |
Unnecessary protocols are removed or disabled. |
|
□ |
The following protocols are not enabled on the server: NetBIOS and SMB. |
Do not disable NetBIOS and SMB on the SMS site database server. |
|
□ |
The TCP/IP stack is hardened. |
For procedures to harden the TCP/IP stack, see https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTHardTCP.asp |
|
Accounts |
□ |
SQL Server service account is secured (least privileged). |
The SQL Server account must be a member of administrators group on the SQL Server computer. If the computer running SQL Server is running in a user context (not system context), it does not register its service principal name (SPN). This must be done manually for SMS to work properly. |
□ |
Unnecessary Windows accounts are deleted or disabled. |
If you are using standard security, the SMS Service account must be an administrator on the computer running SQL Server. |
|
|
□ |
The Windows guest account is disabled. |
|
|
□ |
A new administrator account is created. |
|
|
□ |
Strong password policy is enforced. |
|
|
□ |
Remote logons are restricted. |
|
|
□ |
Null sessions (anonymous logons) are disabled. |
|
|
□ |
Approval is required for account delegation. |
|
|
□ |
Shared accounts are not used. |
|
|
□ |
Membership of the local Administrators group is limited (ideally, no more than two members). |
|
|
□ |
The administrator account is limited to interactive logons (or a secure remote administration solution is provided). |
|
|
□ |
NTLMv2 authentication is enabled and enforced (LMCompatibilityLevel is set to 5). |
|
Files and Directories |
□ |
Volumes are formatted with NTFS. |
|
|
□ |
Everyone group has no rights to system or tools directories. |
|
|
□ |
Samples directories, Help directories, and unused admin directories are removed from the server. |
|
|
□ |
Permissions are hardened on SQL Server installation folder. |
|
|
□ |
Passwords removed from Service Pack 1 and Service Pack 2 setup log files. |
|
|
□ |
Tools, utilities, and SDKs are removed. |
|
|
□ |
Unused applications are removed. |
|
|
□ |
Sensitive data files are encrypted using EFS. (This is optional for database files (.mdf), but not for log files (.ldf)). |
|
Shares |
□ |
Unnecessary shares are removed from the server. |
|
|
□ |
Access is restricted to required shares. |
|
|
□ |
Shares are not accessible by Everyone, unless necessary. |
The shared folders created by SMS grant permissions to Everyone, but restrict access through NTFS. Also, if you create a publisher for SQL Server replication of SMS database, it must create a shared folder that can be accessed by the SQL Server agent on the subscriber computer. Make sure that the SQL Server agent has permissions on the shared folder created for replication. |
|
□ |
Administration shares (C$, Admin$) are removed if they are not required. |
Do not remove these shared folders. SMS uses these shared folders for installing remote site systems. |
Ports |
□ |
All ports except SQL Server listening port [Default 1433] are blocked |
SMS uses NetBIOS, server message block (SMB), and HTTP ports. Do not block the ports used by these protocols. |
|
□ |
Named instances are configured to listen on the same port. |
SMS does not support the use of named instances. |
|
□ |
A non-standard SQL Server port (not TCP 1443) is used as an additional layer of defense. |
This can be used, but be sure to set the SQL Server client to use this new port by creating a new DSN. |
|
□ |
The hide server option is used as an additional layer of defense (optional). |
|
|
□ |
The firewall is configured to support DTC traffic (if necessary). |
SMS management points require DTC, but are not usually Internet-facing. |
|
□ |
A firewall is used to separate users from the SQL TCP/IP port. |
|
Registry |
□ |
Everyone group is removed from SQL Server registry keys. |
|
|
□ |
SAM is secured (stand-alone servers only). |
|
SQL Server Settings
Component |
Characteristics |
SMS notes |
|
|---|---|---|---|
SQL Server Security |
□ |
Authentication setting for SQL Server is Windows Only if possible. |
Windows Authentication is recommended over SQL Server Authentication. |
|
□ |
SQL Server audit level set to Failure or All. |
|
|
□ |
The SQL Server Startup Service account is a least privileged account. |
|
SQL Server Logons, Users, and Roles |
□ |
The sa account has a strong password. |
|
|
□ |
SQL Server guest accounts are removed from non-system databases. |
|
|
□ |
The BUILTIN\Administrators group is removed from the SQL Server logons. |
|
|
□ |
The sysadmin role does not contain the BUILTIN\Administrators group. |
|
|
□ |
Permissions are not assigned for the public role. |
|
|
□ |
The sysadmin role contains no more than two users. |
|
|
□ |
Restricted (granular) database permissions are assigned. (Built-in, non-granular roles such as db_datareader and db_datawriter are avoided). |
|
|
□ |
Default permissions for SQL Server objects are not changed. |
|
SQL Server Database Objects |
□ |
All sample databases are removed from the server. |
Sample databases are not used by SMS. |
|
□ |
Stored procedures are secured. |
|
|
□ |
Extended stored procedures are secured. |
|
|
□ |
cmdExec is restricted to the sysadmin role only. |
|