Surface Area Configuration
Applies to: SQL Server
In the default configuration of new installations of SQL Server, many features are not enabled. SQL Server selectively installs and starts only key services and features, to minimize the number of features that can be attacked by a malicious user. A system administrator can change these defaults at installation time and also selectively enable or disable features of a running instance of SQL Server. Additionally, some components may not be available when connecting from other computers until protocols are configured.
Unlike new installations, no existing services or features are turned off during an upgrade, but additional surface area configuration options can be applied after the upgrade is completed.
Protocols, Connection, and Startup Options
Use SQL Server Configuration Manager to start and stop services, configure the startup options, and enable protocols and other connection options.
To start SQL Server Configuration Manager
On the Start menu, point to All Programs, point to Microsoft SQL Server, point to Configuration Tools, and then click SQL Server Configuration Manager.
Use the SQL Server Services area to start components and configure the automatic starting options.
Use the SQL Server Network Configuration area to enable connection protocols, and connection options such as fixed TCP/IP ports, or forcing encryption.
For more information, see SQL Server Configuration Manager. Remote connectivity can also depend upon the correct configuration of a firewall. For more information, see Configure the Windows Firewall to Allow SQL Server Access.
Enabling and Disabling Features
Enabling and disabling SQL Server features can be configured using facets in SQL Server Management Studio.
To configure surface area using facets
In Management Studio connect to a component of SQL Server.
In Object Explorer, right-click the server, and then click Facets.
In the View Facets dialog box, expand the Facet list, and select the appropriate Surface Area Configuration facet (Surface Area Configuration, Surface Area Configuration for Analysis Services, or Surface Area Configuration for Reporting Services).
In the Facet properties area, select the values that you want for each property.
To periodically check the configuration of a facet, use Policy-Based Management. For more information about Policy-Based Management, see Administer Servers by Using Policy-Based Management.
You can also set Database Engine options using the sp_configure stored procedure. For more information, see Server Configuration Options (SQL Server).
To change the EnableIntegrated Security property of SSRS, use the property settings in SQL Server Management Studio. To change the Schedule events and report delivery property and the Web service and HTTP access property, edit the RSReportServer.config configuration file.
Use the Invoke-PolicyEvaluationSQL Server PowerShell cmdlet to invoke Surface Area Configuration Policies. For more information, see Use the Database Engine cmdlets.
SOAP and Service Broker Endpoints
To turn endpoints off, use Policy-Based Management. To create and alter the properties of endpoints, use CREATE ENDPOINT (Transact-SQL) and ALTER ENDPOINT (Transact-SQL).
Security Center for SQL Server Database Engine and Azure SQL Database
Submit and view feedback for