2.12 Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances

Information

Non-clustered SQL Server instances within production environments should be designated as hidden to prevent advertisement by the SQL Server Browser service.

Rationale:

Designating production SQL Server instances as hidden leads to a more secure installation because they cannot be enumerated. However, clustered instances may break if this option is selected.

Impact:

This method only prevents the instance from being listed on the network. If the instance is hidden (not exposed by SQL Browser), then connections will need to specify the server and port in order to connect. It does not prevent users from connecting to server if they know the instance name and port.

If you hide a clustered named instance, the cluster service may not be able to connect to the SQL Server. Please refer to the Microsoft documentation reference.

Solution

Perform either the GUI or T-SQL method shown:

GUI Method

In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <InstanceName>, and then select Properties.

On the Flags tab, in the Hide Instance box, select Yes, and then click OK to close the dialog box. The change takes effect immediately for new connections.

T-SQL Method

Execute the following T-SQL to remediate:

EXEC master.sys.xp_instance_regwrite
@rootkey = N'HKEY_LOCAL_MACHINE',
@key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib',
@value_name = N'HideInstance',
@type = N'REG_DWORD',
@value = 1;

Default Value:

By default, SQL Server instances are not hidden.

See Also

https://workbench.cisecurity.org/benchmarks/7201

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: MS_SQLDB

Control ID: af3000b5400ac9593b26a0db1bd832dc6e54113466a9f2cac19e6f9805da224e