Page 41 - DCAP508_DATABASE_ADMINISTRATION
P. 41

Unit 2: Installing SQL Server




               Divide the network into security zones separated by firewalls. Block all traffic, and then  Notes
               selectively admit only what is required.

               In a multi-tier environment, use multiple firewalls to create screened subnets.
               When you are installing the server inside a Windows domain, configure interior firewalls
               to allow Windows Authentication.

               If your application uses distributed transactions, you might have to configure the firewall
               to allow Microsoft Distributed Transaction Co-ordinator (MS DTC) traffic to flow between
               separate MS DTC instances. You will also have to configure the firewall to allow traffic to
               flow between the MS DTC and resource managers such as SQL Server.

          Isolate Services

          Isolating services reduces the risk that one compromised service could be used to compromise
          others. To isolate services, consider the following guidelines:

               Run separate SQL Server services under separate Windows accounts. Whenever possible,
               use separate, low-rights Windows or Local user accounts for each SQL Server service.

          Configure a Secure File System

          Using the correct file system increases security. For SQL Server installations, you should do the
          following tasks:

               Use the NTFS file system (NTFS). NTFS is the preferred file system for installations of SQL
               Server because it is more stable and recoverable than FAT file systems. NTFS also enables
               security options like file and directory Access Control Lists (ACLs) and Encrypting File
               System (EFS) file encryption. During installation, SQL Server will set appropriate ACLs on
               registry keys and files if it detects NTFS. These permissions should not be changed. Future
               releases of SQL Server might not support installation on computers with FAT file systems.




             Notes  If you use EFS, database files will be encrypted under the identity of the account
            running SQL Server. Only this account will be able to decrypt the files. If you must change
            the account that runs SQL Server, you should first decrypt the files under the old account
            and then re-encrypt them under the new account.

               Use a Redundant Array of Independent Disks (RAID) for critical data files.
          Disable NetBIOS and Server Message Block

          Servers in the perimeter network should have all unnecessary protocols disabled, including
          NetBIOS and server message block (SMB).
          NetBIOS uses the following ports:
               UDP/137 (NetBIOS name service)
               UDP/138 (NetBIOS datagram service)

               TCP/139 (NetBIOS session service)
          SMB uses the following ports:

               TCP/139
               TCP/445



                                           LOVELY PROFESSIONAL UNIVERSITY                                   35
   36   37   38   39   40   41   42   43   44   45   46