SQL Server and the Windows Server 2008 Firewall

Posted by bink on July 3 2008, 8:35 PM. Posted in SQL 2005.

We've long recommended that customers use the Windows Firewall to protect SQL Server installations. Starting with Windows XP/SP2, and continuing with Windows Vista, the firewall has been enabled by default on Windows client operating systems. Windows Server 2008 marks the first time this protection has been extended to a Windows Server OS.

For those of you migrating from Windows Server 2003 or earlier to Windows Server 2008, if you have not previously heeded the advice to enable the firewall, you may be surprised by connectivity failures caused by the firewall (for any version of SQL) and you will need to take action to enable the connectivity you want.

Don't panic! J Choosing the right firewall strategy isn't as hard as it may seem, and it will pay dividends over the long run.  We have a books online entry that has lots of good information on how to use the firewall. That document is available at

http://msdn.microsoft.com/en-us/library/cc646023(SQL.100).aspx

We strongly recommend you read that before making changes to your firewall strategy.  For detailed information about the firewall, see

http://technet.microsoft.com/en-us/network/bb545423.aspx

I use the term "firewall strategy" intentionally, because there are some tradeoffs that only you can make. You might want to simply "configure the firewall" to make it all "just work," and you could do that, but it might expose you in ways you don't intend. To highlight that point, I will refer you to a recent survey by David Litchfield of NGS Software. Quoting from the executive summary:

The survey found that there are approximately 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 Oracle database servers directly accessible on the Internet.

That's a lot of servers directly exposed to the Internet, and I doubt strongly that level of exposure is intended. So we're hopeful that you will spend some time making choices you are comfortable with, and that the change to enable the firewall on Windows Server 2008 will lead to a level of exposure that more closely matches your real business needs. And only you can determine your real business needs.

I should note that exposure by itself does not imply that there is any particular vulnerability. Indeed, only 4% of the exposed SQL servers were running a vulnerable version of SQL Server, and those few vulnerable servers appear to have gone unpatched for many years now (our competitors fared much worse in this regard, candidly). But in the event of a newly-discovered vulnerability in SQL Server those 368,000 servers could become 368,000 targets overnight (or faster), and we all want to avoid that.

So, our first piece of advice: review your existing firewall strategy, including your host and network firewalls, to ensure that none of your servers are unintentionally exposed to the internet or to untrustworthy insiders.

Continue at source for the steps