Microsoft KB Archive/814130

= How to help secure network connectivity for SQL Server 2000 local databases =

Article ID: 814130

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft SQL Server 2000 Standard Edition
 * Microsoft SQL Server 2000 Desktop Engine (Windows)
 * Microsoft SQL Server 2000 Service Pack 3a
 * Microsoft SQL Server 2000 Desktop Engine
 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Enterprise Edition
 * Microsoft SQL Server 2005 Express Edition
 * Microsoft SQL Server 2005 Workgroup Edition

-



SUMMARY
Some instances of the SQL Server 2000 Personal Edition and the SQL Server 2000 Desktop Engine (also known as MSDE 2000) may operate as local data stores, used only by applications that are running on the same computer. If network connections are never made to these instances of MSDE 2000, the instances do not require network support and it is prudent to turn off resources that are not required.

If you are using SQL Server 2005

The same concepts and discussions about SQL Server 2000 also apply to SQL Server 2005 and SQL Server Express. For more information about this subject in SQL Server 2005, see the following topics in SQL Server 2005 Books Online:
 * How to: Configure Client Protocols (SQL Server Configuration Manager)
 * Configuring Server Network Protocols and Net-Libraries
 * Default SQL Server Network Configuration



MORE INFORMATION
Each instance of SQL Server 2000 or MSDE 2000 can be configured to listen on a specific set of network protocols and addresses. If an instance does not require network connectivity, turning off the unused network support decreases the security dependencies of the instance. You can do this by configuring the instance to not listen on any network protocols. Typically, you only do this with the versions of SQL Server 2000 that operate as local data stores:


 * SQL Server 2000 Personal Edition

-or-


 * SQL Server 2000 Desktop Engine (MSDE 2000)

As soon as you configure an instance of SQL Server not to listen for network protocols, all applications on the same computer communicate with the instance by using the shared memory Net-Library.

Turning off the network protocol support does not imply that the network protocols are inherently insecure. Any time a program accesses an external resource; the program acquires dependencies on the security of the external resource, even if the external resource is very secure. by turning off unused resources, the program simply reduces its security dependencies.

Note All administration of that instance must be completed on the computer that is instance is running on.

Instances of SQL Server 2000 SP3a or MSDE 2000 SP3a will stop listening on UDP port 1434 when they are configured to not listen on any network protocols. Earlier versions of SQL Server 2000 or MSDE 2000 always listen on UDP 1434, regardless of their configuration. For more information, please see the Readme.htm for SP3a, available from the following Microsoft Web site:

SQL Server version 2000 Service Pack 3a Readme.htm

If the instance is running in Windows Authentication mode, one of the Windows accounts on that computer must be a member of the SQL Server sysadmin fixed server role. If the instance is running in mixed mode, administrators can log in by using the sa account or by using a Windows account that is in the SQL Server sysadmin fixed server role.

To use the SQL Server 2000 Server Network utility to configure an existing instance of SQL Server 2000 or MSDE 2000 not to listen for network connections, follow these steps:


 * 1) If the SQL Server client tools are installed on the computer, open the Microsoft SQL Server program group, and then start the Server Network utility. If the SQL Server client utilities are not installed, run the Svrnetcn.exe file that is in the SQL Server Tools\Binn folder. Generally, the reason the SQL Server client utilities are not installed on a computer is that the computer is only running instances of MSDE 2000 that do not give the user a license to use the SQL Server client utilities.

For more information about the folder structure for SQL Server 2000 files, visit the following Microsoft Web site:

File Locations for Multiple Instances of SQL Server
 * 1) On the General tab, select the name of the instance of SQL Server in the Instance(s) on this computer list box. Click to select servername for the default instance, or select servername/instancename for any named instance.
 * 2) To limit the instance of SQL Server to only permit local connections, click Disable until there are no protocols listed in the Enabled protocols list. If you have to change this later to permit remote connections, reverse this process and enable one or more protocols.
 * 3) Click OK.
 * 4) Restart the instance of SQL Server for the changes to take effect.

You can use the SQL Server 2000 Server Network utility to enable network connections to an instance of SQL Server 2000 that is currently configured not to support them.

The DISABLENETWORKPROTOCOLS Switch
The SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 3 Setup program introduced a new DISABLENETWORKPROTOCOLS switch that you can use to install a new instance of MSDE 2000 that does not have any network connectivity enabled.

For SP3, the behavior of this switch is such that if DISABLENETWORKPROTOCOLS is not specified, the instance is installed with network protocol connections enabled. If you specify DISABLENETWORKPROTOCOLS=1, no network protocols are enabled for that instance.

There are two changes to the behavior of DISABLENETWORKPROTOCOLS in SP3a:
 * The default when installing a new instance of SP3a is to disable network protocol support, making the instance more secure by default.
 * You can specify that the network protocol support be turned off when upgrading an existing instance of MSDE 2000.

The following tables describe this behavior:

Upgrades to MSDE 2000 SP3a
Note The /DISABLENETWORKPROTOCOLS switch is not listed when you run the MSDE 2000 setup.exe with the “/?” switch to list the switches it supports.

For more information about DISABLENETWORKPROTOCOLS, please see the SQL Server 2000 Service Pack 3a Readme file available from the following Microsoft Web site

SQL Server version 2000 Service Pack 3a Readme.htm

