Information
The default instance of SQL Server listens for client requests on TCP 1433. By default, client computers that connect to SQL Server first connect by using TCP 1433. If this communication is unsuccessful, the client computers query the SQL Server Resolution Service that is listening on UDP 1434 to determine the port on which the database instance is listening.
Rationale:
The default port-communication behavior of SQL Server introduces several issues that affect server hardening. First, the ports used by SQL Server are well-publicized ports and the SQL Server Resolution Service has been the target of buffer overrun attacks and denial-of-service attacks, including the 'Slammer' worm virus. Even if SQL Server is updated to mitigate security issues in the SQL Server Resolution Service, the well-publicized ports remain a target. Second, if databases are installed on a named instance of SQL Server, the corresponding communication port is randomly assigned and can change. This behavior can potentially prevent server-to-server communication in a hardened environment.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Verify that the User account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.
2. Navigate to SQL Server Configuration Manager on the computer that is running SQL Server.
3. Expand SQL Server Network Configuration in the navigation pane.
4. Click the corresponding entry for the instance that you are examining. The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance.
5. Right-click TCP/IP in the main window in the Protocol Name column,
6. Click on Properties.
7. Click on the IP Addresses tab.
For every IP address that is assigned to the computer that is running SQL Server, there is a corresponding entry on this tab. By default, SQL Server listens on all IP addresses that are assigned to the computer.
To globally examine the port that the default instance is listening on, follow these steps:
1. For each IP address except IPAll, examine all values for both TCP dynamic ports and TCP Port and confirm UDP 1434 and TCP 1433 are blocked.
2. For IPAll, examine the value for TCP dynamic ports and confirm UDP 1434 and TCP 1433 are blocked.
Default Value:
No ports are blocked.