Sharpen Your Basic SQL Server Skills

[April 2008]
Sharpen Your Basic SQL Server Skills
Surface Area Configuration tools reduce exposure to security risks
By: Pinalkumar Dave
Features
InstantDoc #98299
From the April 2008 edition of SQL Server Magazine

Executive Summary:

Get answers to your questions about SQL Server 2005 Surface Area Configuration tools that can help you protect the SQL Server surface area from security breaches perpetrated by unauthorized users or applications.

Q: What’s the SQL Server surface area, and what security risks are associated with it?
A: All SQL Server components that are accessible by users or applications are known as the surface area. Enabling all of SQL Server’s features increases the risk of a security breach by unauthorized users or applications. To make the vulnerabilities of the surface area less visible to potential attackers, the default installation of SQL Server 2005 disables most of the at-risk features (e.g., xp_cmdshell, dedicated administrator connection). You can also deactivate unused components to reduce surface area exposure.

Q: What tools are available to increase the security of the SQL Server surface area?
A: You can use two SQL Server 2005 Surface Area Configuration tools to increase surface area security and manage common service-related operations. These tools use Window Management Instrumentation (WMI) API calls to manage SQL Server’s registry operations. The Surface Area Configuration for Services and Connections tool gives you a simple method for configuring the security of local, as well as remote, SQL Server machines. For more information, see msdn2.microsoft.com/en-us/ library/ms188980.aspx. With the Surface Area Configuration for Features tool you can enable and disable features of the Database Engine, SQL Server Analysis Services (SSAS), and SQL Server Reporting Services (SSRS). For more information, see msdn2.microsoft.com/en-us/library/ms183753.aspx.

Q: What features does the Surface Area Configuration for Features tool include?
A: The features in the Surface Area Configuration for Features tool are divided into three main categories: SSAS, Database Engine, and SSRS. SSAS features include Ad Hoc Data Mining queries, Anonymous Connections, Linked Objects, and User-Defined functions. Database Engine features include Ad Hoc Remote Queries, Common Language Runtime (CLR) Integration, Database Mail, OLE Automation, Service Broker, SQL Mail, Web Assistant stored procedures, xp_cmdshell, Dedicated Administrator Connection, and Native XML Web Services. SSRS features include HTTP access and Web Service Requests, Scheduled Events and Report Delivery, and Windows Integrated Security.

Q: What database administrative services does the Surface Area Configuration for Features tool support?
A: The tool provides an interface from which you can start, stop, pause, or resume administrative services. You can also configure whether the startup is manual, automatic, or disabled. In addition to SSAS, SSRS, and SQL Server Integration Services (SSIS), these configuration services are supported:

Database Engine
Full-Text Search service
SQL Server Integration Services (SSIS)
MSSQLServerADHelper service
Notification Services
SQL Server Agent service
SQL Server Browser service
SQL Server Writer Service

Q: How do I use the Surface Area Configuration for Features tool?
A: You can use the tool’s GUI, T-SQL in the Query Editor, or a command-line utility. To use the GUI go to Start, All Programs, SQL Server 2005, Configuration Tools, SQL Server Surface Area Configuration for Features. You can use the GUI to select a component and configure its features. To use T-SQL in the SQL Server Query Editor you need to enable xp_cmdshell, as the following example shows.

sp_configure ‘show advanced
  options’, 1
  RECONFIGURE
  GO
  sp_configure ‘xp_cmdshell’, 1
  RECONFIGURE
  GO

Use the command-line sac utility when you’re configuring multiple SQL Server machines with the same import and export Surface Area Settings. This utility creates a configuration file on the local server; this file is then exported to another server where the system imports it. The sac utility is in the \Program Files Microsoft SQL Server\90\Shared folder.

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Hi Pinalkumar,

The topic above is interesting. I would like to know where the configuration file is, when sp_configure/sac utility is run. I would copy the configuration file into other SQL Server box.

Thanks.

Kasim Wirama

wirama@cbn.net.id- April 17, 2008

Article Rating 4 out of 5

ADS BY GOOGLE SPONSORED LINKS

CA ERwin® Data Modeler: Delivers seamless, "out of box" support for Microsoft SQL Server. Try it free.

FREE SQL Server 2005 Training CD: Demos, labs, courseware ($115 value). Choose Dev, SSAS, SSIS, SSRS.

CA ERwin® Data Modeler: Effectively manage your SQL Server deployments. View whitepaper.

SQL Newsletters – Register Today!: Sign up for our SQL or BI newsletters to stay abreast of the latest trends, technologies and challenges.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Guide to Log Management: Comparing On-Premise and On-Demand Solutions: Log management is a required control within governmental and industry specific regulations. Read this white paper to choosing the best solution for your business.

SQL Server Fundamentals CD: Gain development basics in this content-rich CD compilation of how-to articles on the latest technologies.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

FEATURED LINKS

Combat SQL Server Sprawl - Inside Experiences & Best Practices: View this web seminar to learn about an approach to successfully combat SQL Server sprawl and improve application availability and response time.

SQL Server Magazine Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

Attention User Groups & User Group Leaders...: Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Windows IT Pro Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the Windows IT Pro Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

EXCHANGE 2007 Mastery Series – May 29, 2008: 3 Info-packed eLearning seminars for only $99! Learn the pros and cons of your mailbox high availability options, see real-world examples of Transport Rules, and get started with basic PowerShell commands with Mark Arnold, MCSE+M and Microsoft MVP.

Become a fan of SQL Server Magazine on Facebook: Join the SQL Server Magazine fan club on Facebook. Chat with other developers, upload your pictures, check out what's up n' coming in the next issue and more!

	SQL Server Magazine Contact Us Editorial Calendar Media Kit
	Windows IT Pro Connected Home IT Library SuperSite FAQ News Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator
	Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS