SQL Server Hardening Considerations
SQL Server Hardening Considerations
Note Applying SQL Server security updates or hotfixes can require that you disable the SQL Server Agent
service. Reset this service to “disabled” before performing the update. When the update has completed,
stop the service and set it back to “enabled”.
7 Use NTFS directory security with EFS for SQL Server data directories. EFS must be set while logged in
under the account credentials that the SQL service runs under (for example, <domain>\SQLServiceAcct>).
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
1
SQL Server Hardening
SQL Server Users and Authentication
From the Local Policy editor, temporarily grant “logon locally” privileges to this account to enable EFS
then remove this right after signing out.
Only enable EFS if data theft is a concern; there is a performance impact.
Note To copy and send the data to other parties, back up the database to a different, unencrypted directory to
ensure that the receiving party can read the backup. You can do this backup from the SQL Server Enterprise
Manager.
12 Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
13 Remove all sample databases.
14 Enable auditing for failed logins.
Related Topics
SQL Server Users and Authentication, on page 2
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
2
SQL Server Hardening
SQL Server 2008 R2 Security Considerations
During installation, SQL Server Database Engine is set to either Windows Authentication mode or SQL Server
and Windows Authentication mode. If Windows Authentication mode is selected during installation, the sa
login is disabled. If you later change authentication mode to SQL Server and Windows Authentication mode,
the sa login remains disabled. To enable the sa login, use the ALTER LOGIN statement. For more details,
see http://msdn.microsoft.com/en-us/library/ms188670.aspx.
The local user or the domain user account that is created for the SQL Server service account follows the
Windows or domain password policy respectively. Apply a strict password policy on this account. However,
do not set the password to expire. If the password expires, the SQL Server service ceases to function and the
Administration & Data Server fails.
Site requirements can govern the password and account settings. Consider minimum settings like the following:
Setting Value
Enforce Password History 24 passwords remembered
Note The service account password must explicitly be set to Not expire.
Mixed mode authentication is enforced through SQL Server 2008 R2 automated hardening.
During web setup, if the sa password is blank, a randomly generated strong password is generated and used
to secure the sa account.
Important This randomly generated sa password is displayed only once during the install. Make note of the password
because it is not presented again.
You can reset the sa account password after installation by logging on to the SQL Server using a Windows
Local Administrator account.
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
3
SQL Server Hardening
Automated SQL 2008 R2 Hardening
attack surface, and runs with lower privileges. When implementing Microsoft SQL Server 2008 R2 security
features, the database administrator must follow the guidelines in the following section.
Utility Location
The utility is located at:
%SYSTEMDRIVE%\CiscoUtils\SQLSecurity
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
4
SQL Server Hardening
Manual SQL 2008 R2 Server Hardening
Note The following security hardening settings are not removed when:
1 SQL Server security mode is currently set to Windows Only Authentication.
2 SQL Server user “sa” is set to random password.
3 SQLVSSWriter, SQLBrowser, and MSSQLServerADHelper100 services are disabled.
You can roll back these settings manually using SQL Server Management Studio tool.
No Argument
If you use no argument with the command line, the help appears.
Output Log
All output logs are saved in the file:
%SYSTEMDRIVE%\CiscoUtils\SQLSecurity\Logs\ICMSQLSecurity.log
Note The SQL Server Security Hardening utility checks for the availability and order of these endpoints.
• Disable access to all unrequired endpoints. For instance, deny connect permission to VIA endpoint for
all users/groups who have access to the database.
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
5
SQL Server Hardening
Manual SQL 2008 R2 Server Hardening
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.5(1)
6