Database Hardening For SharePoint 2013

The key recommendation for SharePoint 2013 is to secure communication among servers in a farm by blocking the default ports used for SQL Server communication and establishing custom ports for this communication instead. For services, lessen your attack surface area by disabling any service that is not required by your database servers.

Ports and protocols

There are several ports and protocols that are defined and required for SharePoint features and services to operate successfully and some of these should be modified for greater security.

Configuring Ports and Protocols

After securing the services on your web, application and database servers, you need to think about securing the ports that these servers use to communicate with one another in a SharePoint 2013 farm. Different SharePoint server roles use different ports to communicate with each other.

Securing service application communications

Communications among web servers and service applications in a farm environment use the following ports and protocol bindings by default:

  • HTTP: TCP 32843 (HTTP is the default binding)
  • HTTPS: TCP 32844 (SSL)
  • net.tcp: TCP 32845 (if a third-party developer has implemented this for its service application)

Securing web server communications

The following are the default ports used by SharePoint web servers in a farm:

  • HTTP: TCP 80
  • HTTPS: TCP 443 (SSL)

Securing database server communications

The following are the default ports used for SQL Server communications:

  • TCP 1433 (default)
  • UDP 1434 (used to query the server for list of named instances)

It is a best practice to block the TCP 1433 port on the SQL Server computer and configure a SQL Server client alias to connect to the named instance instead.

Securing search server communications

The following are the default ports used by the SharePoint Search indexing components within a farm:

  • TCP: 16500-16519 inclusive

Securing Active Directory communications

The following are the default ports used to synchronize user profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management (FIM) agent:

  • TCP and UDP: 389 (LDAP service)
  • TCP and UDP: 88 (Kerberos)
  • TCP and UDP: 53 (DNS)
  • UDP 464: (Kerberos Change Password)
  • TCP 5725: (FIM)

Securing external server communications

There are some SharePoint 2013 features that can be configured to access data on servers that are external to the farm. In these scenarios, you need to ensure that the communication channels are open between the local server and the remote server. Typically, the ports and protocols used will depend on the Office Web Apps and Workflow Manager Port considerations. You should not block the following ports on any server that runs Office Web Apps Server, since Office Web Apps Server periodically removes web applications on these ports:

  • Port 443 for HTTPS traffic.
  • Port 80 for HTTP traffic.
  • Port 809 for private traffic among the servers that run Office Web Apps Server (in a multi-server farm).

You should also review the IIS Manager to view the ports used by Workflow Manager to ensure that these are also available.

Configuring ports

There are several tools and technologies that you can use to configure ports and protocols for SharePoint 2013. However, if you are using the Windows Firewall with Advanced Security when you install SharePoint 2013, predefined inbound and outbound rules are automatically created to configure and open the appropriate ports on the firewall for the installed services and applications.