0

Given that I have the choice, is there a reason to prefer enabling the SQL Browser Service over using the default static port, or vice versa?

Here's the specific context:
We have little third-party app with a few clients that connect to a 2005 SQLExpress instance. This instance was configured to accept remote connections, but we kept having intermittent connection issues that would show up as "password mismatch" login failures, i.e. 

Login failed for user 'AppSQLLogin'. [CLIENT: 10.x.x.x] 
Error: 18456, Severity: 14, State: 8.)

I eventually figured out that it was using dynamic ports, and starting the SQL Browser Service has apparently resolved the login issue.

But since I don't have multiple instances running on that server, it seems to me that I could just set the named SQLExpresss instance to use the normal default port 1433 and stop the browser service. Assuming this is the case, are there any reason I should or shouldn't do this? Or put another way, should I not run the SQL Browser service unless I explicitly must? (it's not enabled on any of our other single default instance SQL servers).

Matt
  • 218
  • 2
  • 5

2 Answers2

1

I would say turn the browser off whenever you can and configure your instance to run on a static port. But I recommend using other port than 1433 (may be on the higher end). Check out this article on Best practices for using SQL Server browser service.

EDIT:

The Microsoft SQL Server 2005 Security Best Practices - Operational and Administrative Tasks whitepaper unequivocally says "For a more secure configuration, always use static TCP/IP port assignments and disable the SQL Server Browser service. "

DaniSQL
  • 1,107
  • 7
  • 12
  • Thanks for the links. Can you elaborate on why you wouldn't use port 1433? That's always seemed like security by obscurity to me, so I kind of question the value of changing the port number, but maybe I just don't understand what that really does for me in terms of making my server harder to attack. – Matt Jul 12 '10 at 23:31
  • Yes it is a cheap trick but most robot programs scan port 1433 for blank SA passwords and you can avoid that by changing it to other port. But you are right, you can't get away from robust attacks by changing the port numbers, they will easily find it if they scan all ports. – DaniSQL Jul 13 '10 at 13:44
1

Using static ports and disabling the browser gives 0 security. Is someone has broken into the server, they can either query the system to get the list of ports which are in use by looking in the application log, or by port scanning the server which takes all of 10-15 seconds.

Just turn on the browser and be done with it.

You don't want to use port 1433 because if you install a default instance it'll want to run on port 1433.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
  • There may be a little confirmation bias on my part, but it's refreshing to get a clear and concise answer to a database question instead of the more common (and arguably correct) "it depends". Thanks :) – Matt Jul 16 '10 at 16:29