SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
An XCCDF Rule
Description
<VulnDiscussion>Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-213990r879756_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Assign the approved TCP/IP port number to the SQL Server Database Engine.
1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <instance name>, and then double-click "TCP/IP".
2. In the "TCP/IP Properties" dialog box, on the "IP Addresses" tab, several IP addresses appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP Address on the computer. (You will probably see both IP version 4 and IP version 6 addresses.) Right-click each address, and then click "Properties" to identify the IP address that you want to configure.
3. If the "TCP Dynamic Ports" dialog box contains "0", indicating the Database Engine is listening on dynamic ports, delete the "0".
4. In the "IPn Properties area" box, in the "TCP Port" box, type the port number you want this IP address to listen on, and then click "OK".
5. In the console pane, click "SQL Server Services".