Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / DB Engine / SQL Server / March 2008

Tip: Looking for answers? Try searching our database.

SCW and SQL 2005

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Rob Nicholson - 06 Mar 2008 15:53 GMT
Currently piloting SQL 2005 in Windows 2003 R2 which comes locked down. The
SCW (security configuration wizard) has to be used to open things up.

Quick question - does the SCW "know" about SQL 2005? Does the SCW cover the
typically surface area lock down that any SQL 2005 installation offers?

Thanks, Rob.
Reply to this Message
Anith Sen - 06 Mar 2008 17:29 GMT
Two things to watch for is SCW blocks "unwanted" ports and turns off
"unneeded" services. Check your SQL Server port (the default is 1433) and
SQL related services are up and running. As long as you do not include any
additional policies for SQL Server using SCW you should be ok.

Signature

Anith

Reply to this Message
Rob Nicholson - 11 Mar 2008 14:03 GMT
> Two things to watch for is SCW blocks "unwanted" ports and turns off
> "unneeded" services. Check your SQL Server port (the default is 1433) and
> SQL related services are up and running. As long as you do not include any
> additional policies for SQL Server using SCW you should be ok.

Ports yes but also make sure SCW doesn't disable the SQL Server service!

Cheers, Rob.
Reply to this Message
Charles Wang[MSFT] - 07 Mar 2008 04:55 GMT
Hi Rob,
I agree with Anith. From this article,
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/d
efault.mspx, we can find that specifically, SCW does the following
functionalities:
- Disables unneeded services.
- Blocks unused ports.
- Allows further address or security restrictions for ports that are left
open.
- Prohibits unnecessary IIS web extensions, if applicable.
- Reduces protocol exposure to server message block (SMB), LanMan, and
Lightweight Directory Access Protocol (LDAP).
- Defines a high signal-to-noise audit policy.

SQL Server 2005 is a service application which supports Named Pipes, TCP/IP
and other protocols, if you do not restrict your SQL Server service and its
related listening ports by using SCW, it should not impact your SQL Server.
You can run "netstat -nab >C:\portlist.log" from command line to see which
TCP and UDP ports that your SQL Server is using (Find "sqlservr.exe").

If you encounter any issues in future, please feel free to let me know. It
is my pleasure to be of assistance.

Best regards,
Charles Wang
Microsoft Online Community Support
====================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@microsoft.com.
====================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for
non-urgent issues where an initial response from the community
or a Microsoft Support Engineer within 1 business day is acceptable.
Please note that each follow up response may take approximately
2 business days as the support professional working with you may
need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by
contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
=======================================================
Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
Rob Nicholson - 11 Mar 2008 14:03 GMT
> SQL Server 2005 is a service application which supports Named Pipes,
> TCP/IP
[quoted text clipped - 4 lines]
> You can run "netstat -nab >C:\portlist.log" from command line to see which
> TCP and UDP ports that your SQL Server is using (Find "sqlservr.exe").

I need some better documentation on SCW. I know that it does but the devil
is in the detail. It's not helped that whilst the SCW automatically
recognises most things installed, it gets the names wrong sometimes. For
example, even though it's SQL Server 2005 installed, the entries you have to
tweak are called SQL 2000.

Anyway, I've got the configuration working for our needs with just the
database engine. Will work on the other engines another day. For the record,
they were:
 1.. Server roles: SQL Server 2000 (yes, 2000) - ensures the SQL database
engine service is running
 2.. Administration and other options: SQL Server TCP/IP sockets network
library - allows firewall access
#1 is a service setting. #2 is a firewall setting.

NOTE: by default, SCW will fight with the surface area configuration tool.
You can enable services in there just to have SCW disable them unless you
look very carefully at the zillions of options.

As for SCW documentation, I'd like to see each entry description in human
speak :-) "Enable SQL Server TCP/IP sockets network library" isn't anywhere
near as good as an additional note that says "Enable this is you want
external systems to access this system via the TCP/IP network".

But sorted for now.

Cheers, Rob.
Reply to this Message
Charles Wang[MSFT] - 12 Mar 2008 09:17 GMT
Hi Rob,
Since this newsgroup is focused on SQL Server, if you want to know more
information regarding SCW, I recommend that you have a new post at
microsoft.public.windows.server.security for getting more dedicated support
there.

If you encounter any further issues regarding SQL Server, please feel free
to post here. It is always our pleasure to be of assistance. Have a nice
day!

Best regards,
Charles Wang
Microsoft Online Community Support
=========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@microsoft.com.
=========================================================
Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

=========================================================
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.