One guess on who’s having WAY TOO MUCH FUN blogging these day?? LOL
Too often DBAs don’t take the time to review their environments and their surface area exposure. You want to evaluate the features that you’ve enabled and determine if they are required. The less features enabled, the less likelyhood that you will have a successful attack on your environment.
In SQL Server 2005 the SQL Server Surface Area Configuration Tool was used by DBAs to review and manually turn on/off features in the product. The Surface Area Configuration Tool has been removed in SQL Server 2008. So where would one go now to review their surface area exposure?
Enter one of my new best friends… Policy Based Management.
SQL Server 2008 Policy Based Management comes with 4 policies for Surface Area evaluation
- Surface Area Configuration for Database Engine 2005 and 2000 features
- Surface Area Configuration for Database Engine 2008 features
- Surface Area Configuration for Service Broker Endpoints
- Surface Area Configuration for SOAP Endpoints
The Policy we’re going to look at in this post is the Surface Area Configuration for Database Engine 2008 Features. This Policy uses the condition Surface Area Configuration for Database Engine 2008 Features which ties to the Surface Area Configuration facet.
By default the following settings are used:
- AdHocRemoteQueriesEnabled – False
- ClrIntegrationEnabled – False
- DatabaseMailEnabled – False
- OleAutomationEnabled – False
- RemoteDacEnabled – False
- ServiceBrokerEndpointActive – False
- SoapEndpointsEnabled – False
- SQLMailEnabled – False
- xpcmdshellEnabled – False
Now keep in mind that these are configurable (from within the check condition) and in your environment you might not be able to conform to the point where this Policy will come back with the nice happy green arrow. I for one use DatabaseMail so this is something that I’ve had to change in the check condition.
The idea here is that Policy Based Managment can give you a great look into your surface area exposure and where you might be able to investigate and possibly disable some features to minimize the likelyhood of a successful attack… and don’t you SQL 2000 and SQL 2005 DBAs fret as noted above there is a policy built as well just for you (Surface Area Configuration for Database Engine 2005 and 2000 features).
So do your best review and to minimize your surface area exposure and not have your “kibbles and bits” out there for the world to see 
Enjoy!!
[...] here to read the rest: Hiding Your “Kibbles and Bits” By admin | category: it consulting | tags: fun, it consulting, northeast, [...]