Installation guide

SQL Server 2005 Best Practices Analyzer Tool

SQL Server 2008 R2 Best Practices Analyzer Tool

A secure installation of VCM pays particular attention to the Security Best Practices items regarding

patching, physical security, service packs, and firewalls. See the following references, available from the

Microsoft Web site.

SQL Server 2005 Security Best Practices

Security Considerations for a SQL Server Installation

Direct SQL Server Login

Even from within the server zone, regular VCM users must not connect directly to the VCM database

using tools such as Query Analyzer. These types of direct login connections bypass the administrator

safeguards afforded by the VCM user interface.

Enable the Microsoft host-based firewall and use a network firewall to help prevent direct SQL Server

Configure SQL Server to accept existing Windows user account credentials for logging in. Do not set up

separate SQL Server login accounts.

Restrict Access to Configuration Tools

SQL Server contains configuration tools such as the system stored procedure called sp_configure or SQL

Server Surface Area Configuration Tool. Always restrict access to sp_configure or the SQL Server Surface

Area Configuration Tool. The tools allow users to activate services and features that are usually disabled

by default:

xp_cmdshell

SQL Server Web Assistant

CLR Integration

Adhoc remote queries (the OPENROWSET and OPENDATASOURCE functions)

OLE automation system procedures

System procedures for Database Mail and SQL Mail

Remote use of a dedicated administrator connection

NOTE Features managed with the Surface Area Configuration Tool in SQL Server 2005 are now managed

with Facets in Policy Based Management starting in SQL Server 2008.

Delegation for Split Installations

VCM can operate in a split-server installation, where the SQL Server database runs on a different machine

than that of the Collector and Web services. A split installation has the following SQL Server login