In recent times, Microsoft’s Trustworthy Computing initiative has strongly influenced how security is implemented out of the box for new products, such as SQL Server 2005. One of the main things Microsoft has done is to turn off, by default, potential areas of their applications that could be susceptible to security risks.
In SQL Server 2005, many features that were turned on by default in previous versions, such as xp-cmdshell, are now turned off, and must be manually turned on if you want to use them. This way, the surface area available for attack is much smaller, making it much more difficult for bad guys and gals to attack the product.
The SQL Server 2005 Surface Area Configuration Tool is a separate utility included with SQL Server 2005 to make it easier for SQL Server administrators to manually turn on those features that are turned off by default. In most cases, you should probably leave the default settings to off, unless you have a real, burning need, for them. This way, you keep your SQL Server safer.
The SQL Server 2005 Surface Area Configuration uses Window Management Instrumentation (WMI) to view and change server settings. WMI provides a unified way for interfacing with the API calls that manage registry operations that configure SQL Server.
The new features in SQL Server 2005 such as CLR integration, SQL Mail and Native XML Web Services can all be configured using this SAC tool. Although each of these features could be configured using Transact-SQL (T-SQL), the Surface Area Configuration tool provides an easy-to-use graphical user interface for doing so. To invoke this tool, follow these steps:
On the Start menu, point to All Programs | Microsoft SQL Server 2005 | Configuration Tools, then click on SQL Server Surface Area Configuration.
Also, the Surface Area Configuration can be called from command line using SAC.EXE which is installed in SQL Server program installation under \90\Shared directory. SQL Server 2005 books online has full details on how to execute this command line tool with code examples. If you have various SQL Server instances, and some of them need similar configuration parameters, you can export the configuration settings from a base SQL Server instance where the Database Administrator is satisfied with the required enabled features, then import them into other SQL Server instances.
There are various other options available in the SAC tool that can be used in a SQL Cluster environment, where you can selectively enable or disable the various services that collectively make up SQL Server 2005. Depending on which edition of SQL Server you installed, and which installation options you selected, you can enable or disable any of these services:
- Analysis Services
- Database Engine
- Full-Text Search Service
- Integration Services Service
- MSSQLServerADHelper Service
- Notification Services Service
- Reporting Services Service
- SQL Server Agent Service
- SQL Server Browser Service
- SQL Server Writer Service
If you are performing an in-place upgrade of a SQL Server 2000 instance to SQL Server 2005, the upgrade process will maintain all of your current settings (not turning them off by default as with a new installation). Because of this, once you complete an in-place upgrade, you may want to use the Surface Area Configuration tool to turn off those features you are using, just be play it safe.
]]>