Comments on: Using Non-default Ports for SQL Server https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/ Thomas LaRock is an author, speaker, data expert, and SQLRockstar. He helps people connect, learn, and share. Along the way he solves data problems, too. Tue, 20 Dec 2022 10:46:13 +0000 hourly 1 https://wordpress.org/?v=6.7.2 By: Reuben Sultana https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-91327 Tue, 20 Dec 2022 10:46:13 +0000 http://thomaslarock.com/?p=17600#comment-91327 A number of years back I had proposed the techniques described in the below article, all of which were approved by the Architecture and Security teams, and later implemented in my workplace. As commenters mentioned in this thread this is not an attacker-proof solution, however will help mitigate potential threats and as ThomasLaRock stated, give you more fuel when an audit (or post-incident review) is carried out.

There is no silver bullet to security and the best we can do is apply multiple protection layers. This is just one of them. Yes, there is the overhead of keeping track of the “application to DNS alias to port” mappings, however any decent CMDB would do the trick. In a small shop you could simply use an Excel spreadsheet (even though Excel is not a database…). Point is, the administrative/management processes should not be a barrier to security.

SQL Server Connection Strings, Unique Application DNS and Listening Ports
https://sqlserverdiaries.com/blog/index.php/2011/04/sql-server-connection-strings-unique-application-dns-and-listening-ports/

The same technique applies to all SQL Server versions and Editions, and is still valid today with the most recent release.

]]>
By: Dan Fugett https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-88911 Tue, 12 Apr 2022 12:45:39 +0000 http://thomaslarock.com/?p=17600#comment-88911 Tom,

Thanks for your post.

Has anything changed from 2016 to 2022 in the context of this discussion? That is, I see changing ports as a starting point (phishing) but certainly not an end point (port scan) as the success depends on attack sophistication.

The reality of ransomware today makes it that much more important to do more than changing ports but its still good advice. The thief can break through the window but the police are still likely to ask whether taping the key to the door wasnt a bit ….. unthinking

]]>
By: SQL Slammer Is Back. Here's What You Need to Know - Thomas LaRock https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-15853 Mon, 20 Feb 2017 13:23:20 +0000 http://thomaslarock.com/?p=17600#comment-15853 […] Review your use of firewalls, ACLs, and default ports. Do everything you can do to limit your exposure. Even if you can’t upgrade to newer versions […]

]]>
By: ThomasLaRock https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-15671 Wed, 21 Dec 2016 13:39:00 +0000 http://thomaslarock.com/?p=17600#comment-15671 In reply to Pieter Vanhove.

Thanks Pieter, I forgot to mention the use of the browser service in the post. Disabling it makes sense if you have taken all the other steps.

]]>
By: Pieter Vanhove https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-15668 Wed, 21 Dec 2016 09:45:00 +0000 http://thomaslarock.com/?p=17600#comment-15668 Hi Tom,

I do agree with your approach. I give the same recommendations to my customers.
I would even go one step further and recommend to disable the SQL Browser Service and Hide the instance to be even more secure. Of course, this depends on what the customer wants but some of my clients do this by default.

Regards
Pieter

]]>
By: ThomasLaRock https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-15646 Sat, 17 Dec 2016 13:29:00 +0000 http://thomaslarock.com/?p=17600#comment-15646 In reply to Bob Duffy.

Agreed, default ports makes consolidations and migrations easier in a lot of scenarios.

After a few additional days of reflection on this topic I have noticed that much of the discussion is around the technical aspects using non-default ports. I think people are looking past the human element here.

If you choose to run on a default port, and the forensics of a security breach reveal that the bad actor used code that relied on default ports…in that edge case…how do you want to answer the inquiry? The persons on the other side of the table are not interested in all the technical aspects of the discussion, they just want to know if you did everything you could have done, or not.

We can go back and forth forever on the technical stuff, and workarounds for everything. But at the end of the day none of that will matter. Either you chose to use a default port, or not.

]]>
By: Bob Duffy https://thomaslarock.com/2016/12/using-non-default-ports-for-sql-server/#comment-15644 Sat, 17 Dec 2016 08:05:00 +0000 http://thomaslarock.com/?p=17600#comment-15644 In reply to K. Brian Kelley.

I’m with Brian here 😉
. Using DNS to abstract the physical server name is super useful.

I’ve created 10+ instance clusters with all of the instances on default ports.

Using using a dns Cname to ensure connections aren’t made to physical server name saves sooo much risk and effort on consolidations and migrations..

]]>