Is it still best practice to avoid using the default ports for SQL Server?
https://dba.stackexchange.com/questions/220270
-
13-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice. On a server with a single, default instance, the following ports would be used by default:
- SQL Server service - Port 1433 (TCP)
- SQL Server Browser service - Port 1434 (UDP)
- Dedicated Admin Connection - Port 1434 (TCP)
QUESTIONS:
- Is this advice still relevant?
- Should ALL of the above ports be changed?
Solution
Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice.
Which was asinine then and still asinine now. Security through arguably obscurity isn't security at all.
Is this advice still relevant
IMHO it was never relevant. It was required for some compliance purposes because the people drafting up those compliances did not understand what they were doing, again, IMHO.
Should ALL of the above ports be changed?
I wouldn't change any.
OTHER TIPS
Even though security through obscurity isn't actual security I won't say there aren't any cases where it helps.
If an attacker wants to know where your service is listening they can easily find out, but in the event of a dumb automated attack you could be lucky if you changed the port.
The only time I can remember where it actually helped is during the time of SQL Slammer where SQL Server 2000 was vulnerable and a worm spread by generating random ip's and connecting to the default SQL Server browser port.
If I recall correctly it was official advice at the time to change the ports until you could patch your server (either because there wasn't a patch available immediately or because you didn't have a window)
For that worm to enter your network at the time you needed to have a SQL Server connected to the internet instead of behind a firewall, which you shouldn't, but anyhow, a non-default port number could have helped in that specific case.
I do however agree that if you have proper security in place the complexity you add probably doesn't outweigh the chances of it preventing an incident.
Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice
No, it wasn't. Some misguided people may have presented it as such, but I've been doing security for 20+ years and changing default ports has always been a kind of "here is something you can do if you want which maybe sometimes in very specific circumstances provides a bit of additional security against some very specific threats" thing.
Is this advice still relevant?
Under very specific circumstances, depending on your threat model and risk analysis, there may be some instances in which this is sound advice. In the vast majority of cases, no, it isn't relevant nor was it ever.
YES, it is still useful.
Changing default ports has one real purpose only: defend against automated scans/attacks, if you database server is open towards hosts which might get compromised.
While that might not sound like a big deal, remember that:
- any host might get compromised (or your databases server might get exposed to Internet at large due to some mistake)
- most of the attacks those days are automated attacks, and many of them will try only default ports (as aiming at low-hanging fruits is most efficient).
So, yes, while it by itself will not help you much if are under targeted attack, using random ports (and/or making it listen on random IPv6 address only) will make it much less visible, thus at least giving you more time to upgrade before automated 0day exploit scan hits you (and might even protecting you completely against such automated scan all by itself!)
In addition (this will help not only against all automated attacks against, but also against some targeted attacks too) when attackers try to find your database port to exploit it by bruteforce portscans, it can be detected and defended against (by blacklisting attacker IP ranges, and alerting admins if some internal host has been detected as source of the attack)
Also note that changing default port for server and clients (especially if they are deployed automatically) is trivial amount of work, and detecting bruteforce scans is easy too; so you really should be doing it (not just for database servers; but for all services where overhead of setting it up is not prohibitive due to usability issues: like changing default port for web from 80 is not recommended, as some people (and bots) will mess it up, and random firewalls around the world might not allow connection to be established. But RDP is great target for example for non-default port)
I would not change the port, but however never expose the database service directly over the internet. Only through a secure tunnel like SSH. Changing the port of SSH might be a good idea to minimize the traffic by scanners.
