December 8, 2016 at 3:51 am
What is the best practice for SQL Browser service? Keep running or keep stopped and run as required?
December 8, 2016 at 3:57 am
Keep it running.
Igor Micev,My blog: www.igormicev.com
December 8, 2016 at 4:01 am
I wouldn't run it as required - I would either use it or not use it. It only works for named instance, so if you only have a default instance, disable the service. If SQL Server listens on the default port of 1433, you can also disable the service. If you want that extra layer of security by obscurity that not revealing the port number confers, then disable the service and insist on all connection strings including the port number. (I'm not arguing for or against that being a good thing.) Otherwise, have the service running and forget about it.
John
December 8, 2016 at 4:01 am
Thanks Igor, Is there an obvious to keep it running.
December 8, 2016 at 4:04 am
Thanks John.
I am merely concerned for security. That is why I am considering stopping them. All my instances (61 of them) are default.
December 8, 2016 at 4:07 am
h.iddamalgoda 91897 (12/8/2016)
Thanks John.I am merely concerned for security. That is why I am considering stopping them. All my instances (61 of them) are default.
Definitely don't have it running, then.
John
December 8, 2016 at 4:16 am
Cheers John, many thanks.
December 8, 2016 at 4:18 am
h.iddamalgoda 91897 (12/8/2016)
Thanks Igor, Is there an obvious to keep it running.
There is no cost of running it. If you want to forget about it, then keep it running. Here is a very good overview of it https://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
Igor Micev,My blog: www.igormicev.com
January 2, 2017 at 5:45 am
There is no cost of running it.
From the security standpoint I am not sure that is a true statement. If SQL Browser is running then a potential attacker could use it to discover your SQL instances.
Hunting for Microsoft's SQL Server
http://null-byte.wonderhowto.com/how-to/hack-databases-hunting-for-microsofts-sql-server-0148993/[/url]
I would say if you can identify what connects to the instance (or instances), update the instances to listen on non-default ports, stop and disable SQL Browser and then update connection strings to refer to the non-default ports. For apps that cannot easily have the connection string changed, use a SQL alias.
Joie Andrew
"Since 1982"
January 2, 2017 at 9:27 am
I would say it's a security hole since most people worry less about UDP and this may be an open port on lots of firewalls to allow SQL instance discovery. With this, an attacker doesn't need a port scan. They can merely hit UDP1434 as a noramal query to look for databases. I wouldn't leave this on or run it without a reason.
By default in modern Windows OS and SQL installs, this is disabled to reduce attack surface.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply