SQL Server Hardening Considerations
Top SQL Hardening Considerations
Top SQL Hardening considerations:
-
Do not install SQL Server on an Active Directory Domain Controller.
-
In a multitier environment, run web logic and business logic on separate computers.
-
Install the latest cumulative update for SQL Server from Microsoft site: https://www.microsoft.com/en-us/download/details.aspx?id=56128.
-
Set a strong password for the sa account before installing ICM.
-
Always install SQL Server service to run using a least privilege account. Never install SQL Server to run using the built-in Local System account. Instead, use the Virtual account.
See the Staging Guide for Cisco Unified ICM/Contact Center Enterprise at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-guides-list.html for more information.
-
Enable SQL Server Agent Service and set to Automatic for database maintenance in Unified ICM.
Note
Applying SQL Server security updates or hotfixes can require that you disable the SQL Server Agent service. Reset this service to "disabled" before performing the update. When the update has completed, stop the service and set it back to "enabled".
-
Disable the SQL guest account.
-
Restrict sysadmin membership to your Unified ICM administrators.
-
Block TCP port 1433 (default) and UDP port 1434 at the network firewall, unless the Administration & Data Server is not in the same security zone as the Logger.
-
Provide protection with good housekeeping:
-
Delete or archive these setup files after installation if they are present:
-
sqlstp.log
-
sqlsp.log
-
setup.iss
The files are in <systemdrive>:\Program Files\Microsoft SQL Server\MSSQL\Install for a default installation or <systemdrive>:\Program Files\Microsoft SQL Server\ MSSQL$<Instance Name>\Install for named instances.
If the current system is an upgrade from SQL Server, delete the following files if they are present:
-
setup.iss in %Windir%
-
sqlsp.log in Windows Temp
-
-
-
Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
-
Remove all sample databases.
-
Enable auditing for failed sign-ins.
SQL Server Users and Authentication
When creating a user for the SQL server account, create Windows accounts with the least possible privileges for running SQL server services. Create the accounts during the installation of SQL server.
During installation, SQL server Database Engine is set to either Windows Authentication mode or SQL server and Windows Authentication mode. If Windows Authentication mode is selected during installation, the sa login is disabled. If you later change authentication mode to SQL server and Windows Authentication mode, the sa login remains disabled. To enable the sa login, use the ALTER LOGIN statement. For more details, see https://msdn.microsoft.com/en-us/library/ms188670.aspx.
The local user or the domain user account that is created for the SQL server service account follows the Windows or domain password policy respectively. Apply a strict password policy on this account. However, don’t set the password to expire. If the password expires, the SQL server service ceases to function and the Administration, & Data server fails.
Site requirements can govern the password and account settings. Consider minimum settings like the following:
Setting |
Value |
---|---|
Enforce Password History |
24 passwords remembered |
Minimum Password Length |
12 characters |
Password Complexity |
Enabled |
Minimum Password Age |
1 day |
Account Lockout Duration |
15 minutes |
Account Lockout Threshold |
3 invalid logon attempts |
Reset Account Lockout Counter After |
15 minutes |
During automated SQL server hardening, if the sa password is found blank, a strong password is generated at random to secure the sa account. You can reset the sa account password after installation by logging on to the SQL server using a Windows Local Administrator account.
UCCE supports renaming or removal of default built-in MS SQL sa account. If the sa account is used to integrate with UCCE solution components like Finesse, CUIC or any other third-party integrations, the login credentials have to be reconfigured with the renamed sa account.
Note |
Renaming or removing the sa account has no correlation with SQL Server hardening that happens during installation or upgrade. |