SQL BASICS Configure a Windows Firewall for Database Engine AccessSQL Server 2016Topic Status: Some information in this topic is preview and subject to change in future releases. Preview information describes new features or changes to existing features in Microsoft SQL Server 2016 Community Technology Preview 2 (CTP2).

This topic describes how to configure a Windows firewall for Database Engine access in SQL Server 2016 by using SQL Server Configuration Manager. Firewall systems help prevent unauthorized access to computer resources. To access an instance of the SQL Server Database Engine through a firewall, you must configure the firewall on the computer running SQL Server to allow access.For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access. There are many firewall systems available. For information specific to your system, see the firewall documentation.

The principal steps to allow access are:1. Configure the Database Engine to use a specific TCP/IP port. The default instance of the

Database Engine uses port 1433, but that can be changed. The port used by the Database Engine is listed in the SQL Server error log. Instances of SQL Server Express, SQL Server Compact, and named instances of the Database Engine use dynamic ports. To configure these instances to use a specific port, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

2. Configure the firewall to allow access to that port for authorized users or computers.

 Note

The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port 1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and configure clients to connect using the port number.

 Note

By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. The basic steps to configure the Windows firewall are provided in the following procedures. For more information, see the Windows documentation.

As an alternative to configuring SQL Server to listen on a fixed port and opening the port, you can list the SQL Server executable (Sqlservr.exe) as an exception to the blocked programs. Use this method when you want to continue to use dynamic ports. Only one instance of SQL Server can be accessed in this way.In This Topic

Before you begin:

1

Introduction to SQL

Security To configure a Widows Firewall for Database Engine access, using:

https://msdn.microsoft.com/en-us/library/ms175043.aspx 2

Introduction to SQL

Before You BeginSecurityOpening ports in your firewall can leave your server exposed to malicious attacks. Make sure that you understand firewall systems before you open ports. For more information, see Security Considerations for a SQL Server Installation

Using SQL Server Configuration ManagerApplies to Windows Vista, Windows 7, and Windows Server 2008The following procedures configure the Windows Firewall by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. The Windows Firewall with Advanced Security only configures the current profile. For more information about the Windows Firewall with Advanced Security, see Configure the Windows Firewall to Allow SQL Server AccessTo open a port in the Windows firewall for TCP access

1. On the Start menu, click Run, type WF.msc, and then click OK.2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound

Rules, and then clickNew Rule in the action pane.3. In the Rule Type dialog box, select Port, and then click Next.4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type

the port number of the instance of the Database Engine, such as 1433 for the default instance. Click Next.

5. In the Action dialog box, select Allow the connection, and then click Next.6. In the Profile dialog box, select any profiles that describe the computer connection

environment when you want to connect to the Database Engine, and then click Next.7. In the Name dialog box, type a name and description for this rule, and then click Finish.

To open access to SQL Server when using dynamic ports1. On the Start menu, click Run, type WF.msc, and then click OK.2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound

Rules, and then clickNew Rule in the action pane.3. In the Rule Type dialog box, select Program, and then click Next.4. In the Program dialog box, select This program path. Click Browse, and navigate to the

instance of SQL Server that you want to access through the firewall, and then click Open. By default, SQL Server is atC:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe. Click Next.

5. In the Action dialog box, select Allow the connection, and then click Next.6. In the Profile dialog box, select any profiles that describe the computer connection

environment when you want to connect to the Database Engine, and then click Next.7. In the Name dialog box, type a name and description for this rule, and then click Finish.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 3

Introduction to SQL

Lesson 1: Connecting to the Database Engine Applies To: SQL Server 2016 PreviewWhen you install the SQL Server Database Engine, the tools that are installed depend upon the edition and your setup choices. This lesson reviews the principal tools, and shows you how to connect and perform a basic function (authorizing more users).This lesson contains the following tasks:

Tools For Getting Started Connecting with Management Studio Authorizing Additional Connections

Tools For Getting StartedThe SQL Server Database Engine ships with a variety of tools. This topic describes the first tools you will need, and helps you select the right tool for the job. All tools can be accessed from the Start menu. Some tools, such as SQL Server Management Studio, are not installed by default. You must select the tools as part of the client components during setup. For a complete description of the tools described below, search for them in SQL Server Books Online. SQL Server Express contains only a subset of the tools.Basic Tools

SQL Server Management Studio is the principal tool for administering the Database Engine and writing Transact-SQL code. It is hosted in the Visual Studio shell. It is not included in SQL Server Express but is available as a separate download from Microsoft Download Center.

SQL Server Configuration Manager installs with both SQL Server and the client tools. It lets you enable server protocols, configure protocol options such as TCP ports, configure server services to start automatically, and configure client computers to connect in your preferred manner. This tool configures the more advanced connectivity elements but does not enable features.

Sample DatabaseThe sample databases and samples are not included with SQL Server. Most of the examples that are described in SQL Server Books Online use the AdventureWorks2012 sample database.To start SQL Server Management Studio

On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, and then click SQL Server Management Studio.

To start SQL Server Configuration Manager On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, point

to Configuration Tools, and then click SQL Server Configuration Manager.Connecting with Management StudioIt is easy to connect to the Database Engine from tools that are running on the same computer if you know the name of the instance, and if you are connecting as a member of the Administrators group on the computer. The following procedures must be performed on the same computer that hosts SQL Server.To determine the name of the instance of the Database Engine

1. Log into Windows as a member of the Administrators group, and open Management Studio.

 Security Note

If you are connecting to SQL Server 2005 on Windows Vista or Windows Server 2008 (or more recent), you may need to right-click Management Studio and then click Run as Administrator in order to connect using your Administrator credentials. Starting in SQL Server 2008, setup adds selected logins to SQL Server, so your Administrator credentials are not necessary.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 4

Introduction to SQL

2. In the Connect to Server dialog box, click Cancel.3. If Registered Servers is not displayed, on the View menu, click Registered Servers.4. With Database Engine selected on the Registered Servers toolbar, expand Database

Engine, right-clickLocal Server Groups, point to Tasks, and then click Register Local Servers. All instances of the Database Engine installed on the computer are displayed. The default instance is unnamed and is shown as the computer name. A named instance displays as the computer name followed by a backward slash (\) and then the name of the instance. For SQL Server Express, the instance is named <computer_name>\sqlexpress unless the name was changed during setup.

To verify that the Database Engine is running1. In Registered Servers, if the name of your instance of SQL Server has a green dot with a white

arrow next to the name, the Database Engine is running and no further action is necessary.2. If the name of your instance of SQL Server has a red dot with a white square next to the name,

the Database Engine is stopped. Right-click the name of the Database Engine, click Service Control, and then click Start. After a confirmation dialog box, the Database Engine should start and the circle should turn green with a white arrow.

To connect to the Database Engine1. In Management Studio, on the File menu, click Connect Object Explorer.

The Connect to Server dialog box opens. The Server type box displays the type of component that was last used.

2. Select Database Engine.3. In the Server name box, type the name of the instance of the Database Engine. For the

default instance of SQL Server, the server name is the computer name. For a named instance of SQL Server, the server name is the <computer_name>\<instance_name>, such as ACCTG_SRVR\SQLEXPRESS.

4. Click Connect.Authorizing Additional ConnectionsNow that you have connected to SQL Server as an administrator, one of your first tasks is to authorize other users to connect. You do this by creating a login and authorizing that login to access a database as a user. Logins can be either Windows Authentication logins, which use credentials from Windows, or SQL Server Authentication logins, which store the authentication information in SQL Server and are independent of your Windows credentials. Use Windows Authentication whenever possible.Create a Windows Authentication login

1. In the previous task, you connected to the Database Engine using Management Studio. In Object Explorer, expand your server instance, expand Security, right-click Logins, and then click New Login.The Login - New dialog box appears.

2. On the General page, in the Login name box, type a Windows login in the format <domain>\<login>.

3. In the Default database box, select AdventureWorks2012 if available. Otherwise select master.

4. On the Server Roles page, if the new login is to be an administrator, click sysadmin, otherwise leave this blank.

5. On the User Mapping page, select Map for the AdventureWorks2012 database if it is available. Otherwise select master. Note that the User box is populated with the login. When closed, the dialog box will create this user in the database.

6. In the Default Schema box, type dbo to map the login to the database owner schema.7. Accept the default settings for the Securables and Status boxes and click OK to create the

login.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 5

Introduction to SQL

 Security Note

This is basic information to get you started. SQL Server provides a rich security environment, and security is obviously an important aspect of database operations.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 6

Introduction to SQL

Lesson 2: Connecting from Another ComputerApplies To: SQL Server 2016 PreviewTo enhance security, the Database Engine of SQL Server Developer, Express, and Evaluation editions cannot be accessed from another computer when initially installed. This lesson shows you how to enable the protocols, configure the ports, and configure the Windows Firewall for connecting from other computers.This lesson contains the following tasks:

Enabling Protocols Configuring a Fixed Port Opening Ports in the Firewall Connecting to the Database Engine from Another Computer Connecting Using the SQL Server Browser Service

Enabling ProtocolsTo enhance security, SQL Server Express, Developer, and Evaluation install with only limited network connectivity. Connections to the Database Engine can be made from tools that are running on the same computer, but not from other computers. If you are planning to do your development work on the same computer as the Database Engine, you do not have to enable additional protocols. Management Studio will connect to the Database Engine by using the shared memory protocol. This protocol is already enabled.If you plan to connect to the Database Engine from another computer, you must enable a protocol, such as TCP/IP.How to enable TCP/IP connections from another computer

1. On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, point to Configuration Tools, and then click SQL Server Configuration Manager.

Note

You might have both 32 bit and 64 bit options available.

2. In SQL Server Configuration Manager, expand SQL Server Network Configuration, and then clickProtocols for <InstanceName>.The default instance (an unnamed instance) is listed as MSSQLSERVER. If you installed a named instance, the name you provided is listed. SQL Server 2012 Express installs as SQLEXPRESS, unless you changed the name during setup.

3. In the list of protocols, right-click the protocol you want to enable (TCP/IP), and then click Enable.

Note

You must restart the SQL Server service after you make changes to network protocols; however, this is completed in the next task.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 7

Introduction to SQL

Configuring a Fixed PortTo enhance security, Windows Server 2008, Windows Vista, and Windows 7 all turn on the Windows Firewall. When you want to connect to this instance from another computer, you must open a communication port in the firewall. The default instance of the Database Engine listens on port 1433; therefore, you do not have to configure a fixed port. However, named instances including SQL Server Express listen on dynamic ports. Before you can open a port in the firewall, you must first configure the Database Engine to listen on a specific port known as a fixed port or a static port; otherwise, the Database Engine might listen on a different port each time it is started. For more information about firewalls, the default Windows firewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access. 

Note

Port number assignments are managed by the Internet Assigned Numbers Authority and are listed athttp://www.iana.org. Port numbers should be assigned from numbers 49152 through 65535.

Configure SQL Server to listen on a specific port1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, and

then click on the server instance you want to configure.2. In the right pane, double-click TCP/IP.3. In the TCP/IP Properties dialog box, click the IP Addresses tab.4. In the TCP Port box of the IPAll section, type an available port number. For this tutorial, we

will use 49172.5. Click OK to close the dialog box, and click OK to the warning that the service must be

restarted.6. In the left pane, click SQL Server Services.7. In the right pane, right-click the instance of SQL Server, and then click Restart. When the

Database Engine restarts, it will listen on port 49172.Opening Ports in the FirewallFirewall systems help prevent unauthorized access to computer resources. To connect to SQL Server from another computer when a firewall is on, you must open a port in the firewall.

Important

Opening ports in your firewall can leave your server exposed to malicious attacks. Be sure to understand firewall systems before opening ports. For more information, see Security Considerations for a SQL Server Installation.

After you configure the Database Engine to use a fixed port, follow the following instructions to open that port in your Windows Firewall. (You do not have to configure a fixed port for the default instance, because it is already fixed on TCP port 1433.)To open a port in the Windows firewall for TCP access (Windows 7)

1. On the Start menu, click Run, type WF.msc, and then click OK.2. In Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules,

and then clickNew Rule in the action pane.3. In the Rule Type dialog box, select Port, and then click Next.4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type

the port number of the instance of the Database Engine. Type 1433 for the default instance. Type 49172 if you are configuring a named instance and configured a fixed port in the previous task. Click Next.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 8

Introduction to SQL

5. In the Action dialog box, select Allow the connection, and then click Next.6. In the Profile dialog box, select any profiles that describe the computer connection

environment when you want to connect to the Database Engine, and then click Next.7. In the Name dialog box, type a name and description for this rule, and then click Finish.

For more information about configuring the firewall including instructions for Windows Vista, see Configure a Windows Firewall for Database Engine Access. For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access.Connecting to the Database Engine from Another ComputerNow that you have configured the Database Engine to listen on a fixed port, and have opened that port in the firewall, you can connect to SQL Server from another computer.When the SQL Server Browser service is running on the server computer, and when the firewall has opened UDP port 1434, the connection can be made by using the computer name and instance name. To enhance security, our example does not use the SQL Server Browser service.To connect to the Database Engine from another computer

1. On a second computer that contains the SQL Server client tools, log in with an account authorized to connect to SQL Server, and open Management Studio.

2. In the Connect to Server dialog box, confirm Database Engine in the Server type box.

3. In the Server name box, type tcp: to specify the protocol, followed by the computer name, a comma, and the port number. To connect to the default instance, the port 1433 is implied and can be omitted; therefore, type tcp:<computer_name>. In our example for a named instance, type tcp:<computer_name>,49172.

Note

If you omit tcp: from the Server name box, then the client will attempt all protocols that are enabled, in the order specified in the client configuration.

4. In the Authentication box, confirm Window Authentication, and then click Connect.

Connecting Using the SQL Server Browser ServiceThe SQL Server Browser service listens for incoming requests for SQL Server resources and provides information about SQL Server instances installed on the computer. When the SQL Server Browser service is running, users can connect to named instances by providing the computer name and instance name, instead of the computer name and port number. Because SQL Server Browser receives unauthenticated UDP requests, it is not always turned on during setup. For a description of the service and an explanation of when it is turned on, see SQL Server Browser Service (Database Engine and SSAS).To use the SQL Server Browser, you must follow the same steps as before and open UDP port 1434 in the firewall.

https://msdn.microsoft.com/en-us/library/ms175043.aspx 9