Details
Non-clustered SQL Server instances within production environments should be designated as hidden to prevent advertisement by the SQL Server Browser service.
Rationale:
Designating production SQL Server instances as hidden leads to a more secure installation because they cannot be enumerated. However, clustered instances may break if this option is selected.
Solution
Perform either the GUI or T-SQL method shown:
GUI Method
In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for
On the Flags tab, in the Hide Instance box, select Yes, and then click OK to close the dialog box. The change takes effect immediately for new connections.
T-SQL Method
Execute the following T-SQL to remediate:
EXEC master.sys.xp_instance_regwrite
@rootkey = N’HKEY_LOCAL_MACHINE’,
@key = N’SOFTWAREMicrosoftMicrosoft SQL ServerMSSQLServerSuperSocketNetLib’,
@value_name = N’HideInstance’,
@type = N’REG_DWORD’,
@value = 1;
Impact:
This method only prevents the instance from being listed on the network. If the instance is hidden (not exposed by SQL Browser), then connections will need to specify the server and port in order to connect. It does not prevent users from connecting to server if they know the instance name and port.
If you hide a clustered named instance, the cluster service may not be able to connect to the SQL Server. Please refer to the Microsoft documentation reference.
Default Value:
By default, SQL Server instances are not hidden.
References:
http://msdn.microsoft.com/en-us/library/ms179327(v=sql.105).aspx
http://msdn.microsoft.com/en-us/library/ms179327(v=sql.100).aspx
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.