Installation guide
BlackBerry Enterprise Solution Security
BlackBerry architecture component security 27
Configuration option Recommendations
shield your Microsoft SQL
Server installation from
Internet-based attacks
• Require Windows Authentication Mode for connections to Microsoft
SQL Server to restrict connections to Microsoft Windows® user and
domain user accounts and enable credentials delegation.
Note: Windows Authentication Mode eliminates the need to store
passwords on the client side. However, if you are running BlackBerry MDS
Services, your SQL server must support Mixed Mode authentication.
• Use Windows security enforcement mechanisms such as stronger
authentication protocols and mandatory password complexity and
expiration.
password-protect the service
account
• Assign a string password to your sa account, even on servers that
require Windows Authentication.
Note: A string password is designed to prevent exposure of a blank or weak
sa password if the server is ever reconfigured for Mixed Mode
Authentication.
limit the privilege level of
Microsoft SQL Server Windows
services
• Associate each service with a Windows account from which the service
derives its security context.
Note: Microsoft SQL Server allows a user of the sa login and in some cases
other users to access operating system features derived from the security
context of the account that owns the server process. If the server is not
secured, a malicious user might use these operating system calls to extend
an attack to any other resource to which the Microsoft SQL Server service
account has access.
use the Microsoft SQL Server
Enterprise Manager
• If you must change the account associated with a Microsoft SQL
Server service, use the SQL Server Enterprise Manager. The SQL Server
Enterprise Manager sets the appropriate permissions on the files and
registry keys that the Microsoft SQL Server uses.
• Do not use the Microsoft Management Console Services applet to
change the account associated with a Microsoft SQL Server service.
Using this Services applet requires you to manually adjust many
registry and NTFS file system permissions and Microsoft Windows user
rights.
Note: See the Microsoft Knowledge Base article How to change the SQL
Server or SQL Server Agent service account without using SQL Enterprise
Manager in SQL Server 2000 or SQL Server Management Studio in SQL
Server 2005.
make the Microsoft SQL Server
ports that are monitored by
default on your firewall
unavailable
• Configure your firewall to filter out packets that are addressed to TCP
port 1433, addressed to UDP port 1434, or associated with named
instances.
use a secure file system
• Use NTFS for the Microsoft SQL Server because it is more stable and
recoverable than FAT file systems, and enables security options such
as file and directory ACLs and EFS.
• Do not change the permissions that the Microsoft SQL Server sets
during installation. The Microsoft SQL Server sets appropriate ACLs on
registry keys and files if it detects NTFS.
• If you must change the account that runs the Microsoft SQL Server,
decrypt the files under the old account and re-encrypt them under the
new account.
www.blackberry.com