SQL

B ASICS
Configure a Windows Firewall for Database Engine
Access
SQL Server 2016
Topic Status: Some information in this topic is preview and subject to change in future releases.
Preview information describes new features or changes to existing features in Microsoft SQL Server
2016 Community Technology Preview 2 (CTP2).
This topic describes how to configure a Windows firewall for Database Engine access in SQL Server
2016 by using SQL Server Configuration Manager. Firewall systems help prevent unauthorized access
to computer resources. To access an instance of the SQL Server Database Engine through a firewall,
you must configure the firewall on the computer running SQL Server to allow access.
For more information about the default Windows firewall settings, and a description of the TCP ports
that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services,
see Configure the Windows Firewall to Allow SQL Server Access. There are many firewall systems
available. For information specific to your system, see the firewall documentation.
The principal steps to allow access are:
1. Configure the Database Engine to use a specific TCP/IP port. The default instance of the
Database Engine uses port 1433, but that can be changed. The port used by the Database
Engine is listed in the SQL Server error log. Instances of SQL Server Express, SQL Server
Compact, and named instances of the Database Engine use dynamic ports. To configure these
instances to use a specific port, see Configure a Server to Listen on a Specific TCP Port (SQL
Server Configuration Manager).
2. Configure the firewall to allow access to that port for authorized users or computers.
Note

The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening
on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port
1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and
configure clients to connect using the port number.
Note

By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet
computers from connecting to a default instance of SQL Server on your computer. Connections to the default
instance using TCP/IP are not possible unless you reopen port 1433. The basic steps to configure the
Windows firewall are provided in the following procedures. For more information, see the Windows
documentation.
As an alternative to configuring SQL Server to listen on a fixed port and opening the port, you can list
the SQL Server executable (Sqlservr.exe) as an exception to the blocked programs. Use this method
when you want to continue to use dynamic ports. Only one instance of SQL Server can be accessed in
this way.
1

Introduction to SQL
In This Topic
Before you begin:
Security
To configure a Widows Firewall for Database Engine access, using:

https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL

Before You Begin

Security

Opening ports in your firewall can leave your server exposed to malicious attacks.
Make sure that you understand firewall systems before you open ports. For more information, see Security
Considerations for a SQL Server Installation

Using SQL Server Configuration Manager

Applies to Windows Vista, Windows 7, and Windows Server 2008
The following procedures configure the Windows Firewall by using the Windows Firewall with
Advanced Security Microsoft Management Console (MMC) snap-in. The Windows Firewall with
Advanced Security only configures the current profile. For more information about the Windows
Firewall with Advanced Security, see Configure the Windows Firewall to Allow SQL Server Access

To open a port in the Windows firewall for TCP access

1. On the Start menu, click Run, type WF.msc, and then click OK.
2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound
Rules, and then clickNew Rule in the action pane.
3. In the Rule Type dialog box, select Port, and then click Next.
4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type
the port number of the instance of the Database Engine, such as 1433 for the default
instance. Click Next.
5. In the Action dialog box, select Allow the connection, and then click Next.
6. In the Profile dialog box, select any profiles that describe the computer connection
environment when you want to connect to the Database Engine, and then click Next.
7. In the Name dialog box, type a name and description for this rule, and then click Finish.

To open access to SQL Server when using dynamic ports

1. On the Start menu, click Run, type WF.msc, and then click OK.
2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound
Rules, and then clickNew Rule in the action pane.
3. In the Rule Type dialog box, select Program, and then click Next.
4. In the Program dialog box, select This program path. Click Browse, and navigate to the
instance of SQL Server that you want to access through the firewall, and then click Open. By
default, SQL Server is atC:\Program Files\Microsoft SQL
Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe. Click Next.
5. In the Action dialog box, select Allow the connection, and then click Next.
6. In the Profile dialog box, select any profiles that describe the computer connection
environment when you want to connect to the Database Engine, and then click Next.
7. In the Name dialog box, type a name and description for this rule, and then click Finish.

https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL

Lesson 1: Connecting to the Database Engine

Applies To: SQL Server 2016 Preview
When you install the SQL Server Database Engine, the tools that are installed depend upon the
edition and your setup choices. This lesson reviews the principal tools, and shows you how to connect
and perform a basic function (authorizing more users).
This lesson contains the following tasks:
Tools For Getting Started
Connecting with Management Studio
Authorizing Additional Connections

Tools For Getting Started

The SQL Server Database Engine ships with a variety of tools. This topic describes the first tools you
will need, and helps you select the right tool for the job. All tools can be accessed from
the Start menu. Some tools, such as SQL Server Management Studio, are not installed by default.
You must select the tools as part of the client components during setup. For a complete description of
the tools described below, search for them in SQL Server Books Online. SQL Server Express contains
only a subset of the tools.

Basic Tools

SQL Server Management Studio is the principal tool for administering the Database Engine
and writing Transact-SQL code. It is hosted in the Visual Studio shell. It is not included in SQL
Server Express but is available as a separate download from Microsoft Download Center.
SQL Server Configuration Manager installs with both SQL Server and the client tools. It lets you
enable server protocols, configure protocol options such as TCP ports, configure server
services to start automatically, and configure client computers to connect in your preferred
manner. This tool configures the more advanced connectivity elements but does not enable
features.

Sample Database

The sample databases and samples are not included with SQL Server. Most of the examples that are
described in SQL Server Books Online use the AdventureWorks2012 sample database.

To start SQL Server Management Studio

On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, and then
click SQL Server Management Studio.

To start SQL Server Configuration Manager

On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, point
to Configuration Tools, and then click SQL Server Configuration Manager.

Connecting with Management Studio

It is easy to connect to the Database Engine from tools that are running on the same computer if you
know the name of the instance, and if you are connecting as a member of the Administrators group
on the computer. The following procedures must be performed on the same computer that hosts SQL
Server.

To determine the name of the instance of the Database Engine

1. Log into Windows as a member of the Administrators group, and open Management Studio.
Security Note

If you are connecting to SQL Server 2005 on Windows Vista or Windows Server 2008 (or more
recent), you may need to right-click Management Studio and then click Run as Administrator in
order to connect using your Administrator credentials. Starting in SQL Server 2008, setup adds
selected logins to SQL Server, so your Administrator credentials are not necessary.
2. In the Connect to Server dialog box, click Cancel.
https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL
3. If Registered Servers is not displayed, on the View menu, click Registered Servers.
4. With Database Engine selected on the Registered Servers toolbar, expand Database
Engine, right-clickLocal Server Groups, point to Tasks, and then click Register Local
Servers. All instances of the Database Engine installed on the computer are displayed. The
default instance is unnamed and is shown as the computer name. A named instance displays
as the computer name followed by a backward slash (\) and then the name of the instance.
For SQL Server Express, the instance is named <computer_name>\sqlexpress unless the
name was changed during setup.

To verify that the Database Engine is running

1. In Registered Servers, if the name of your instance of SQL Server has a green dot with a white
arrow next to the name, the Database Engine is running and no further action is necessary.
2. If the name of your instance of SQL Server has a red dot with a white square next to the name,
the Database Engine is stopped. Right-click the name of the Database Engine, click Service
Control, and then click Start. After a confirmation dialog box, the Database Engine should
start and the circle should turn green with a white arrow.

To connect to the Database Engine

1. In Management Studio, on the File menu, click Connect Object Explorer.
The Connect to Server dialog box opens. The Server type box displays the type of
component that was last used.
2. Select Database Engine.
3. In the Server name box, type the name of the instance of the Database Engine. For the
default instance of SQL Server, the server name is the computer name. For a named instance
of SQL Server, the server name is the <computer_name>\<instance_name>, such
as ACCTG_SRVR\SQLEXPRESS.
4. Click Connect.

Authorizing Additional Connections

Now that you have connected to SQL Server as an administrator, one of your first tasks is to
authorize other users to connect. You do this by creating a login and authorizing that login to access
a database as a user. Logins can be either Windows Authentication logins, which use credentials from
Windows, or SQL Server Authentication logins, which store the authentication information in SQL
Server and are independent of your Windows credentials. Use Windows Authentication whenever
possible.

Create a Windows Authentication login

1. In the previous task, you connected to the Database Engine using Management Studio. In
Object Explorer, expand your server instance, expand Security, right-click Logins, and then
click New Login.
The Login - New dialog box appears.
2. On the General page, in the Login name box, type a Windows login in the
format <domain>\<login>.
3. In the Default database box, select AdventureWorks2012 if available. Otherwise
select master.
4. On the Server Roles page, if the new login is to be an administrator, click sysadmin,
otherwise leave this blank.
5. On the User Mapping page, select Map for the AdventureWorks2012 database if it is
available. Otherwise select master. Note that the User box is populated with the login. When
closed, the dialog box will create this user in the database.
6. In the Default Schema box, type dbo to map the login to the database owner schema.
7. Accept the default settings for the Securables and Status boxes and click OK to create the
login.
Security Note
https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL

This is basic information to get you started. SQL Server provides a rich security environment, and security is
obviously an important aspect of database operations.

https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL

Lesson 2: Connecting from Another

Computer
Applies To: SQL Server 2016 Preview
To enhance security, the Database Engine of SQL Server Developer, Express, and Evaluation
editions cannot be accessed from another computer when initially installed. This lesson
shows you how to enable the protocols, configure the ports, and configure the Windows
Firewall for connecting from other computers.
This lesson contains the following tasks:
Enabling Protocols
Configuring a Fixed Port
Opening Ports in the Firewall
Connecting to the Database Engine from Another Computer
Connecting Using the SQL Server Browser Service

Enabling Protocols
To enhance security, SQL Server Express, Developer, and Evaluation install with only limited
network connectivity. Connections to the Database Engine can be made from tools that are
running on the same computer, but not from other computers. If you are planning to do your
development work on the same computer as the Database Engine, you do not have to
enable additional protocols. Management Studio will connect to the Database Engine by
using the shared memory protocol. This protocol is already enabled.
If you plan to connect to the Database Engine from another computer, you must enable a
protocol, such as TCP/IP.

How to enable TCP/IP connections from another computer

1. On the Start menu, point to All Programs, point to Microsoft SQL Server 2016, point
to Configuration Tools, and then click SQL Server Configuration Manager.
Note

You might have both 32 bit and 64 bit options available.

2. In SQL Server Configuration Manager, expand SQL Server Network
Configuration, and then clickProtocols for <InstanceName>.
The default instance (an unnamed instance) is listed as MSSQLSERVER. If you
installed a named instance, the name you provided is listed. SQL Server 2012 Express
installs as SQLEXPRESS, unless you changed the name during setup.
3. In the list of protocols, right-click the protocol you want to enable (TCP/IP), and then
click Enable.
Note

You must restart the SQL Server service after you make changes to network protocols; however, this
is completed in the next task.

https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL

Configuring a Fixed Port

To enhance security, Windows Server 2008, Windows Vista, and Windows 7 all turn on the
Windows Firewall. When you want to connect to this instance from another computer, you
must open a communication port in the firewall. The default instance of the Database Engine
listens on port 1433; therefore, you do not have to configure a fixed port. However, named
instances including SQL Server Express listen on dynamic ports. Before you can open a port
in the firewall, you must first configure the Database Engine to listen on a specific port
known as a fixed port or a static port; otherwise, the Database Engine might listen on a
different port each time it is started. For more information about firewalls, the default
Windows firewall settings, and a description of the TCP ports that affect the Database
Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the
Windows Firewall to Allow SQL Server Access.
Note

Port number assignments are managed by the Internet Assigned Numbers Authority and are listed
athttp://www.iana.org. Port numbers should be assigned from numbers 49152 through 65535.

Configure SQL Server to listen on a specific port

1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, and
then click on the server instance you want to configure.
2. In the right pane, double-click TCP/IP.
3. In the TCP/IP Properties dialog box, click the IP Addresses tab.
4. In the TCP Port box of the IPAll section, type an available port number. For this tutorial, we
will use 49172.
5. Click OK to close the dialog box, and click OK to the warning that the service must be
restarted.
6. In the left pane, click SQL Server Services.
7. In the right pane, right-click the instance of SQL Server, and then click Restart. When the
Database Engine restarts, it will listen on port 49172.

Opening Ports in the Firewall

Firewall systems help prevent unauthorized access to computer resources. To connect to SQL Server
from another computer when a firewall is on, you must open a port in the firewall.
Important

Opening ports in your firewall can leave your server exposed to malicious attacks. Be sure to understand
firewall systems before opening ports. For more information, see Security Considerations for a SQL Server
Installation.
After you configure the Database Engine to use a fixed port, follow the following instructions
to open that port in your Windows Firewall. (You do not have to configure a fixed port for the
default instance, because it is already fixed on TCP port 1433.)

To open a port in the Windows firewall for TCP access (Windows 7)

1. On the Start menu, click Run, type WF.msc, and then click OK.
2. In Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules,
and then clickNew Rule in the action pane.
3. In the Rule Type dialog box, select Port, and then click Next.
4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type
the port number of the instance of the Database Engine. Type 1433 for the default instance.
Type 49172 if you are configuring a named instance and configured a fixed port in the
previous task. Click Next.
https://msdn.microsoft.com/en-us/library/ms175043.aspx

Introduction to SQL
5. In the Action dialog box, select Allow the connection, and then click Next.
6. In the Profile dialog box, select any profiles that describe the computer connection
environment when you want to connect to the Database Engine, and then click Next.
7. In the Name dialog box, type a name and description for this rule, and then click Finish.
For more information about configuring the firewall including instructions for Windows Vista,
see Configure a Windows Firewall for Database Engine Access. For more information about the default
Windows firewall settings, and a description of the TCP ports that affect the Database Engine,
Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall
to Allow SQL Server Access.

Connecting to the Database Engine from Another

Computer
Now that you have configured the Database Engine to listen on a fixed port, and have
opened that port in the firewall, you can connect to SQL Server from another computer.
When the SQL Server Browser service is running on the server computer, and when the
firewall has opened UDP port 1434, the connection can be made by using the computer
name and instance name. To enhance security, our example does not use the SQL Server
Browser service.

To connect to the Database Engine from another computer

1. On a second computer that contains the SQL Server client tools, log in with an account
authorized to connect to SQL Server, and open Management Studio.
2. In the Connect to Server dialog box, confirm Database Engine in the Server
type box.
3. In the Server name box, type tcp: to specify the protocol, followed by the computer
name, a comma, and the port number. To connect to the default instance, the port
1433 is implied and can be omitted; therefore, type tcp:<computer_name>. In our
example for a named instance, type tcp:<computer_name>,49172.
Note

If you omit tcp: from the Server name box, then the client will attempt all protocols that are
enabled, in the order specified in the client configuration.
4. In
the Authentication box,
click Connect.

confirm Window

Authentication,

and

then

Connecting Using the SQL Server Browser Service

The SQL Server Browser service listens for incoming requests for SQL Server resources and
provides information about SQL Server instances installed on the computer. When the SQL
Server Browser service is running, users can connect to named instances by providing the
computer name and instance name, instead of the computer name and port number.
Because SQL Server Browser receives unauthenticated UDP requests, it is not always turned
on during setup. For a description of the service and an explanation of when it is turned on,
see SQL Server Browser Service (Database Engine and SSAS).
To use the SQL Server Browser, you must follow the same steps as before and open UDP port
1434 in the firewall.

https://msdn.microsoft.com/en-us/library/ms175043.aspx