SQL Server Hardening Considerations
Top SQL Hardening Considerations
Top SQL Hardening considerations:
-
Do not install SQL Server on an Active Directory Domain Controller.
-
Install the latest updates for SQL Server from Microsoft.
-
Set a strong password for the sa account before installing ICM.
-
Always install SQL Server service to run using a least privilege account. Never install SQL Server to run using the built-in Local System account. Instead, use the Virtual account.
See the Staging Guide for Cisco Unified ICM/Contact Center Enterprise at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-guides-list.html for more information.
-
Enable SQL Server Agent Service and set to Automatic for database maintenance in Unified ICM.
Note
Installing the latest updates for SQL Server from Microsoft might require you to disable the SQL Server Agent service. So before performing the cumulative update installation, reset this service to disabled. When the installation is complete, stop the service and set it back to enabled.
-
Disable the SQL guest account.
-
Restrict sysadmin membership to your Unified ICM administrators.
-
Block TCP port 1433 (default) and UDP port 1434 at the network firewall, unless the Administration & Data Server is not in the same security zone as the Logger.
-
Change the recovery actions of the Microsoft SQL Server service to restart after a failure.
-
Remove all sample databases.
-
Enable auditing for failed sign-ins.
The following table lists the settings and the corresponding default and supported values for SQL hardening.
Setting Name |
Default Value |
Supported Value |
---|---|---|
Scan for Startup Procedures |
Disabled |0| |
0 or 1 supported. Unified CCE does not require it to be enabled; however, enabling it would not create any problem. |
Ad Hoc Distributed Queries |
Disabled |0| |
0 or 1 supported. 0 is more secure. |
SQL Server Users and Authentication
When creating a user for the SQL server account, create Windows accounts with the least possible privileges for running SQL server services. Create the accounts during the installation of SQL server.
The local user or the domain user account that is created for the SQL server service account follows the Windows or domain password policy respectively. Apply a strict password policy on this account. However, don’t set the password to expire. If the password expires, the SQL server service ceases to function and the Administration, & Data server fails.
Site requirements can govern the password and account settings. Consider minimum settings like the following:
Setting |
Value |
---|---|
Enforce Password History |
24 passwords remembered |
Minimum Password Length |
12 characters |
Password Complexity |
Enabled |
Minimum Password Age |
1 day |
Account Lockout Duration |
15 minutes |
Account Lockout Threshold |
3 invalid logon attempts |
Reset Account Lockout Counter After |
15 minutes |
During automated SQL server hardening, if the sa password is found blank, a strong password is generated at random to secure the sa account. You can reset the sa account password after installation by logging on to the SQL server using a Windows Local Administrator account.
UCCE supports renaming or removal of default built-in MS SQL sa account. If the sa account is used to integrate with UCCE solution components like Finesse, CUIC or any other third-party integrations, the login credentials have to be reconfigured with the renamed sa account.
Note |
Renaming or removing the sa account has no correlation with SQL Server hardening that happens during installation or upgrade. |