Detections
Analytics

6.1 Ensure that the SQL Server component to SharePoint is set to listen on non-default ports, with the defaults (UDP 1434 and TCP 1433) disabled

Information

The default instance of SQL Server listens for client requests on TCP 1433. By default, client
computers that connect to SQL Server first connect by using TCP 1433. If this
communication is unsuccessful, the client computers query the SQL Server Resolution
Service that is listening on UDP 1434 to determine the port on which the database instance
is listening.

Rationale:

The default port-communication behavior of SQL Server introduces several issues that
affect server hardening. First, the ports used by SQL Server are well-publicized ports and
the SQL Server Resolution Service has been the target of buffer overrun attacks and denial-
of-service attacks, including the 'Slammer' worm virus. Even if SQL Server is updated to
mitigate security issues in the SQL Server Resolution Service, the well-publicized ports
remain a target. Second, if databases are installed on a named instance of SQL Server, the
corresponding communication port is randomly assigned and can change. This behavior
can potentially prevent server-to-server communication in a hardened environment.

Solution

1. Verify that the User account that is performing this procedure is a member of
either the sysadmin or the serveradmin fixed server role.
2. Navigate to SQL Server Configuration Manager on the computer that is running
SQL Server.
3. Expand SQL Server Network Configuration in the navigation pane.
4. Click the corresponding entry for the instance that you are examining. The default
instance is listed as Protocols for MSSQLSERVER. Named instances will appear as
Protocols for named_instance.
5. Right-click TCP/IP in the main window in the Protocol Name column,
6. Click on Properties.
7. Click on the IP Addresses tab.
For every IP address that is assigned to the computer that is running SQL Server,
there is a corresponding entry on this tab. By default, SQL Server listens on all IP
addresses that are assigned to the computer.

To globally examine the port that the default instance is listening on, follow these
steps:

1. For each IP address except IPAll, examine all values for both TCP dynamic ports
and TCP Port and confirm UDP 1434 and TCP 1433 are blocked.
2. For IPAll, examine the value for TCP dynamic ports and confirm UDP 1434 and
TCP 1433 are blocked.

Default Value:

No ports are blocked.

See Also

https://workbench.cisecurity.org/files/2395

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9

Plugin: MS_SQLDB

Control ID: 37e2fae2c5eed6425046e539fbb2196b16f92bbfa507fdcca23d534d37163368