Although SQL Server uses a standard port to communicate with other servers in a SharePoint 2013 farm, it is a best security practice to block the standard port assigned to the default instance. To protect against malicious users who will be aware of the default port used, you should instead reassign the default instance to a non-standard port. A good example of this was the Slammer worm virus, that targeted buffer overrun and denial-of-service attacks on the SQL Server Resolution Service, that is well-known to run on UDP port 1434. Whereas the default instance is assigned a static, well-known port number by default, named instances are assigned random port numbers.
Configuring a SQL Server instance to listen on a non-standard port
You configure a SQL Server instance to listen on a non-standard port by using the SQL Server Configuration Manager console on the computer running SQL Server.
Perform the following procedure to configure the SQL Server default instance to listen on a non-default port:
- Open SQL Server Configuration Manager.
- Expand SQL Server Network Configuration.
- Select the default instance, Protocols for MSSQLSERVER.
- Open the properties for the TCP/IP protocol.
- On the IP Addresses tab:
- For each IP address except IPAll, clear all values for both TCP Dynamic Ports and TCP Port.
- For IPAll, clear the value for TCP Dynamic Ports, and for TCP Port, set another port number value, for example 40000, that you want the default instance of SQL Server to listen on.
- Restart the SQL Server service.
Blocking the standard SQL Server ports
If you are using Windows Firewall with Advanced Security at the time you install SharePoint 2013, predefined inbound and outbound rules are automatically created to configure and open the appropriate ports on the firewall for the installed services and applications. This is done to help secure the incoming and outgoing network traffic. Because these rules are predefined and unsolicited traffic is blocked by default, you do not need to explicitly block the standard SQL Server listening ports.
Configuring SQL Server client aliases If you have blocked UDP port 1434 or TCP port 1433 as discussed earlier, you need to create an alias for SQL Server clients so that they can successfully connect to the SQL Server. In a server farm, all web servers and application servers are SQL Server client computers. When you create the alias, you specify the port that the SQL Server instance is listening on.
You need to first install some SQL Server client components on the client computers so that they can connect to the SQL Server instance.
To install the SQL Server client components
- On each client computer, run Setup for SQL Server and select only the following client components to install:
- Connectivity Components
- Management Tools (includes SQL Server Configuration Manager)
You configure client aliases using the SQL Server Configuration Manager console on the client computers. Perform the following procedure to configure a SQL Server client alias:
- On each client computer, open SQL Server Configuration Manager.
- Select SQL Native Client Configuration.
- In the Items window, right-click Aliases and then click New Alias.
- Enter a name for the alias and enter the port number for the database instance.
- Ensure that the protocol is set to TCP/IP.
- In the Server field, enter the name of the computer that is running SQL Server.ces and applications.