SQL Server browser service question

  • Siten0308

    SSCarpal Tunnel

    Points: 4322

    Hello,

    Happy friday to you all, simple question for everyone probably, so i am researching best practice for SQL security, and one of the things i am thinking of is stopping SQL server browser, and this server will only have 1 instance, but the instance will have a name, so its not going to be a default instance, and it will have a different port number, will it be good practice to stop and disable the SQL browser service so we will have to know the instance/port rather than have something discover/broadcast the info... or maybe i have it wrong, but just need input/thoughts on this.. thanks in advance

  • Site Owners

    SSC Guru

    Points: 80378

    Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • Jeff Moden

    SSC Guru

    Points: 996436

    I can't speak for what others know of the subject but we always disable the browser service to enhance security.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)
    Forum FAQ

  • frederico_fonseca

    SSChampion

    Points: 14632

    this is a good read on this subject

    https://docs.microsoft.com/en-us/sql/tools/configuration-manager/sql-server-browser-service?view=sql-server-ver15

    and (although almost the same)  https://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/

    Depending on your exact setup you may disable it - I know we do for many of our servers, but not all as we have lots of named instances and clusters

  • Mr. Brian Gale

    SSC-Insane

    Points: 22759

    I am not an expert on Browser Service either, but I am not sure it actually adds much security.  If someone really wants into your system, a port probe isn't that hard to do and once you know what ports are listening, it isn't hard to figure out what is listening on each port.

    It is more of a "security by obscurity" thing.  It's like using a non-standard port for SQL Server.  If the server is outside facing, I would not have SQL installed on it unless I absolutely needed to.  If it is inside only SQL instance, it depends too.  We use SQL Aliases via registry edits in the logon script to handle our SQL instances to have friendly names and as such, we don't rely on the SQL browser service for anything.  New and test\dev instances sometimes take a little longer for IT to get it into the logon script and short-term instances don't get in there for an alias, so the DBA's maintain a central management server (two of them actually; one for test\dev, one for live).  The central management servers have the host, instance and port in them.

    For my workplace, the SQL browser service offers no benefit as we have other things in place.

    My opinion, turning it off for a security thing doesn't really offer much help unless you have something else in place to watch for port probes and deny IP's that are probing.  And if your SQL Server is outside facing, it is likely someone will find a way to get access to it.  Wherever possible, keep your SQL instances internal-only.

     

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply