May 22, 2020 at 8:23 pm
Hello,
Happy friday to you all, simple question for everyone probably, so i am researching best practice for SQL security, and one of the things i am thinking of is stopping SQL server browser, and this server will only have 1 instance, but the instance will have a name, so its not going to be a default instance, and it will have a different port number, will it be good practice to stop and disable the SQL browser service so we will have to know the instance/port rather than have something discover/broadcast the info... or maybe i have it wrong, but just need input/thoughts on this.. thanks in advance
May 23, 2020 at 9:10 pm
Thanks for posting your issue and hopefully someone will answer soon.
This is an automated bump to increase visibility of your question.
May 24, 2020 at 5:09 pm
I can't speak for what others know of the subject but we always disable the browser service to enhance security.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 24, 2020 at 5:47 pm
this is a good read on this subject
and (although almost the same) https://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
Depending on your exact setup you may disable it - I know we do for many of our servers, but not all as we have lots of named instances and clusters
May 25, 2020 at 4:31 pm
I am not an expert on Browser Service either, but I am not sure it actually adds much security. If someone really wants into your system, a port probe isn't that hard to do and once you know what ports are listening, it isn't hard to figure out what is listening on each port.
It is more of a "security by obscurity" thing. It's like using a non-standard port for SQL Server. If the server is outside facing, I would not have SQL installed on it unless I absolutely needed to. If it is inside only SQL instance, it depends too. We use SQL Aliases via registry edits in the logon script to handle our SQL instances to have friendly names and as such, we don't rely on the SQL browser service for anything. New and test\dev instances sometimes take a little longer for IT to get it into the logon script and short-term instances don't get in there for an alias, so the DBA's maintain a central management server (two of them actually; one for test\dev, one for live). The central management servers have the host, instance and port in them.
For my workplace, the SQL browser service offers no benefit as we have other things in place.
My opinion, turning it off for a security thing doesn't really offer much help unless you have something else in place to watch for port probes and deny IP's that are probing. And if your SQL Server is outside facing, it is likely someone will find a way to get access to it. Wherever possible, keep your SQL instances internal-only.
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply