SQL Server Performance

When is SQLBrowser needet.

Discussion in 'SQL Server 2005 General DBA Questions' started by acki4711, Aug 24, 2007.

  1. acki4711 Member

    When do I need a running SQL Browser service ?
    With only the default instance installed?
    When multiple instances on same machine ?
    Never ?
    TIA
    acki
  2. satya Moderator

    Books online refers:
    When an instance of SQL Server starts, if the TCP/IP or VIA protocols are enabled for SQL Server, the server is assigned a TCP/IP port. If the named pipes protocol is enabled, SQL Server listens on a specific named pipe. This port, or "pipe," is used by that specific instance to exchange data with client applications. During installation, TCP port 1433 and pipe sqlquery are assigned to the default instance, but those can be changed later by the server administrator using SQL Server Configuration Manager. Because only one instance of SQL Server can use a port or pipe, different port numbers and pipe names are assigned for named instances, including SQL Server Express. By default, when enabled, both named instances and SQL Server Express are configured to use dynamic ports, that is, an available port is assigned when SQL Server starts. If you want, a specific port can be assigned to an instance of SQL Server. When connecting, clients can specify a specific port; but if the port is dynamically assigned, the port number can change anytime SQL Server is restarted, so the correct port number is unknown to the client.
    Upon startup, SQL Server Browser starts and claims UDP port 1434. SQL Server Browser reads the registry, identifies all instances of SQL Server on the computer, and notes the ports and named pipes that they use. When a server has two or more network cards, SQL Server Browser returns the first enabled port it encounters for SQL Server. SQL Server 2005 and SQL Server Browser support ipv6 and ipv4.
    When SQL Server 2000 and SQL Server 2005 clients request SQL Server resources, the client network library sends a UDP message to the server using port 1434. SQL Server Browser responds with the TCP/IP port or named pipe of the requested instance. The network library on the client application then completes the connection by sending a request to the server using the port or named pipe of the desired instance.
    So when you have mutliple instances and that too for named instance Browser service is required.
  3. DBADave New Member

    Thanks Satya. I ran into this problem tonight. It sounds like I can assign a static port to the named instance, but then all client connections need to be configured to know about this port number. Do you know of any issues associated with starting the SQL Server Browser service?
    Dave
  4. satya Moderator

    Nothin as I'm aware of and its better to perform the restart when there is less traffic hours on those named instances.
  5. DBADave New Member

    I read an MSDN article that states the following.
    SQL Server Browser listens on a UDP port and accepts unauthenticated requests using SQL Server Resolution Protocol (SSRP). SQL Server Browser should be run in the security context of a low-privileged user to minimize exposure to a malicious attack. By default, SQL Server Browser starts using the Local System account. The logon account can be changed by using the Windows Services program. The minimum user rights for SQL Server Browser are as follows:
    • Deny access to this computer from the network.
      • Deny logon locally.
        • Deny logon as a batch job.
          • Deny logon through Terminal Services.
            • Log on as a service.
              • Read and write the SQL Server registry keys related to network communication (ports and pipes).
            • In our case the SQL Server Browser service is running under the same Windows account as our other SQL Server services. Do you recommend creating a separate Windows account for the SQL Server Browser service as described above?
              Dave
  6. satya Moderator

    I would say it depends on shop to shop, say for financial based organisation for the sake of data credentials its better to lock down such a privileged access.
    At our end we have (default) setup as Deny logon locally, log on as a service & read/write permissions. So I would say test and apply such permissions, better be safer than sorry.
  7. DBADave New Member

    We are a financial company so I will probably create a new Windows account for the SQL Server Browser service. Do you know how an exploit can occur? I'm trying to picture how someone could exploit the SQL Server Browser.
    Thanks, Dave
  8. satya Moderator

    The default behaviour of SQL Browser services is to relay the SQL instance and its port on the network, using this on the server the hacker can makes known the presence of a database on the network and which port its on. By limiting with minimum access or restricted privileges anyone trying to break in needs to know the IP address of the database and the number of the port to which it is attached to mount an attack. Port scanning alone would not reveal that information, similarly think about SLAMMER worm attack in the year 2003 (IIRC).

Share This Page