SQL Browser

  • What is the best practice for SQL Browser service? Keep running or keep stopped and run as required?

  • Keep it running.

    Igor Micev,My blog: www.igormicev.com

  • I wouldn't run it as required - I would either use it or not use it. It only works for named instance, so if you only have a default instance, disable the service. If SQL Server listens on the default port of 1433, you can also disable the service. If you want that extra layer of security by obscurity that not revealing the port number confers, then disable the service and insist on all connection strings including the port number. (I'm not arguing for or against that being a good thing.) Otherwise, have the service running and forget about it.

    John

  • Thanks Igor, Is there an obvious to keep it running.

  • Thanks John.

    I am merely concerned for security. That is why I am considering stopping them. All my instances (61 of them) are default.

  • h.iddamalgoda 91897 (12/8/2016)


    Thanks John.

    I am merely concerned for security. That is why I am considering stopping them. All my instances (61 of them) are default.

    Definitely don't have it running, then.

    John

  • Cheers John, many thanks.

  • h.iddamalgoda 91897 (12/8/2016)


    Thanks Igor, Is there an obvious to keep it running.

    There is no cost of running it. If you want to forget about it, then keep it running. Here is a very good overview of it https://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/

    Igor Micev,My blog: www.igormicev.com

  • There is no cost of running it.

    From the security standpoint I am not sure that is a true statement. If SQL Browser is running then a potential attacker could use it to discover your SQL instances.

    Hunting for Microsoft's SQL Server

    http://null-byte.wonderhowto.com/how-to/hack-databases-hunting-for-microsofts-sql-server-0148993/[/url]

    I would say if you can identify what connects to the instance (or instances), update the instances to listen on non-default ports, stop and disable SQL Browser and then update connection strings to refer to the non-default ports. For apps that cannot easily have the connection string changed, use a SQL alias.

    Joie Andrew
    "Since 1982"

  • I would say it's a security hole since most people worry less about UDP and this may be an open port on lots of firewalls to allow SQL instance discovery. With this, an attacker doesn't need a port scan. They can merely hit UDP1434 as a noramal query to look for databases. I wouldn't leave this on or run it without a reason.

    By default in modern Windows OS and SQL installs, this is disabled to reduce attack surface.

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply