During my recent engagement with the client, I discovered several SQL Server instances containing valuable customer and financial data. Understandably, my client was concerned about the security risk associated with these exposed instances. They feared that anyone with access to their network could easily find and exploit this sensitive information. Here is my popular service Comprehensive Database Performance Health Check.
Implementing Instance Hiding
To address these concerns, I recommended the implementation of “instance hiding,” a straightforward and effective solution to limit access to the exposed instances. By enabling this feature, new logins could no longer detect or see the instances, granting better control over database accessibility.
Implementing instance hiding was a simple and straightforward process:
- Accessing SQL Server Configuration Manager: We started by opening the SQL Server Configuration Manager on the client’s main database server.
- Navigating to SQL Server Network Configuration: Within the Configuration Manager, we found the “SQL Server Network Configuration” section and selected “Protocols for [InstanceToHide].”
- Enabling Instance Hiding: Next, we right-clicked and selected “Properties” and then went to the “Flags” tab. All we had to do was check the “Hide Instance” box and click “OK” to apply the changes instantly.
How to Connect Post Instance Hiding?
To ensure seamless connectivity to the hidden instances, I updated the client’s connection strings to include the port number associated with the hidden instances. Additionally, I created aliases on each node for high-availability clusters and availability groups, ensuring uninterrupted connectivity during failover.
Conclusion
The results of implementing instance hiding were remarkable. By making sensitive data invisible to unauthorized users, we significantly reduced the risk of potential data breaches and unauthorized access. The success of this approach lies in its simplicity and ability to fortify security while maintaining the smooth functioning of essential database operations.
Here you can subscribe to my YouTube Channel.
Reference: Pinal Dave (https://blog.sqlauthority.com)
4 Comments. Leave new
Instance hiding is the same as disable sql browser?
What’s are the differences between both?
Thanks
This is a great question. A blog post coming on the topic very soon.
But cant i still connect/rdp to the db server and instances using the alias and associated ip address and port?
Dear Pinal Dave,
I have a questions with creating alias. I can’t make it. I can on a standalone server but in cluster not.
We have a cluster with 2 node and 5 SQL Server instance. 5 different instance IP.
1.) How can I create alias:
I got an information:
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/hide-an-instance-of-sql-server-database-engine?view=sql-server-ver16
alias on the 2 node. BUT! What will be be name of alias, and where it “linked”?
for example: where it linked?
node IP + port OR instance IP + port ?
2.) Where can I create alias?
Best regards,
HEVESI Robert