SQL Server Standards

Objective
This document provides an overview of the HP SQL Server standards. Unless specifically mentioned, the stated position applies to all versions of SQL Server. Any and all exceptions to these standards must be approved by GDBA.

Revision History
Version 0.01 1.00 1.01 Date 11.1.2006 11.22.2006 2.2.2007 Author Brad Borgerding Brad Borgerding Brad Borgerding Description of Revision Initial draft. Initial version. Provided clarification about where an SSIS/DTS package could be stored

Table of Contents Objective..................................................................................................................................................................1 Revision History......................................................................................................................................................1 Table of Contents.....................................................................................................................................................1 SQL Server 2005 Installation Standards..................................................................................................................2 Feature Set...............................................................................................................................................................2 Security....................................................................................................................................................................4 Miscellaneous..........................................................................................................................................................4

SQL Server Standards

1 HP Restricted

SQL Server 2005 Installation Standards

These are the standards used during the installation of SQL Server Component Version Position SQL Server 2005 with the latest, certified service pack. SQL Server 2000 by approved exception only New installations should only be SQL Server 2005. Existing installations of SQL Server 2000 are encouraged to upgrade as soon as possible. 2048 2048 is the port for any single-instance server and for any instance on a cluster. Instances on multi-instance, non-clustered servers will additionally use ports 20480-20499. e:\mssql Note: During installation, additional directories are appended so the full path is e:\mssql\mssql.1\mssql\ On dedicated (one instance) installations, default instance On shared (SDBU) installations, instances names are generically named I01 through I07. Follows corporate naming standards (GVS00278) SQL-<instance name> (multi-instance) SQL (single instance) Examples SQL-I04 SQL-I06 SQL Windows authentication. This is the preferred and default authentication mode. For further information, reference the Authentication mode topic in the Security section below. SQL_Latin1_General_CP1_CI_AS (code page 1252, case-insensitive, accent-sensitive) This is the default collation for SQL Server. This has been the default since SQL Server 7.0. Unicode data types. All installations of SQL Server will use the above collation settings. Applications that require the storage of double byte characters, such as Kanji, must use Unicode data types.

Port

Installation path

Instance Name

Virtual Server Name Cluster group

Authentication mode

Collation settings

International language support

Feature Set
This lists some of the major features within SQL Server. If a feature is not listed, consider it prohibited. Component
SQL Server Standards

Position
2 HP Restricted

Analysis Services

Not supported by GDBA. It is not allowed to be installed on a database server. Analysis Services requires a database to store its metadata. This database can be located on a separate server from where Analysis Services is located. SDBU is an excellent location for this database. Not supported by GDBA. Not supported by GDBA. Not available for application use. Its use is restricted to supporting SQL Server functionality such as replication, backups, etc. Approved. SSIS/DTS packages are allowed within the GDBA support framework. The package can be stored within SQL Server or as an external file on a separate server. Execution of the package must be done from a separate server. SQL Server Agent cant be used for scheduling/executing packages. Prohibited. This is a MAPI based email tool provided with earlier versions of SQL Server. SQL Mail has caused server instability so it is not allowed. With SQL Server 2005, it has been deprecated but similar functionality is provided through a new feature called database mail. See database mail for more information. Approved. (SQL Server 2005) Database mail is a new feature in SQL Server 2005. It uses standard SMTP to send mail. Database mail is enabled on all DCC installations but it is not configured. Only when an application requires it, should it be configured. Prohibited. xp_cmdshell spawns a Windows command shell and executes in the security context of the SQL Server service account which leads to a security vulnerability. Prohibited. Extended stored procedures are DLLs that dynamically load and run in the SQL Server address space. They can produce memory leaks and can lead to server instability. Extended stored procedures have been deprecated in SQL Server 2005. Approved. (SQL Server 2005) Prohibited. (SQL Server 2000 and prior) Prior to SQL Server 2005, full text search had a number of issues that made support difficult. It wasnt cluster aware and it wasnt integrated with the database backup. With SQL Server 2005, those issues have been addressed. Approved but its use must be reviewed. (SQL Server 2005) Prohibited. (SQL Server 2000 and prior) Linked servers provide the ability to execute commands against OLE DB data sources on remote servers. In SQL Server 2000 and prior, there are numerous security issues in its use. SQL Server 2005 has addressed those concerns but the use of linked servers must still be reviewed by GDBA. Linked servers are sometimes used inappropriately. Approved but its use must be reviewed. Replication in all its forms (merge, snapshot, transaction, peer-to-peer) can be

Reporting Services Notification Services SQL Server Agent SSIS/DTS (SQL Server Integration Services SQL 2005/Data Transformation Services SQL 2000) SQL Mail (sometimes called xp_sendmail)

Database Mail

xp_cmdshell

Extended stored procedures (typically identified with an xp prefix) Full Text Search

Linked Servers

Replication

SQL Server Standards

3 HP Restricted

used to create multiple copies of data but each instance of its use must be reviewed by GDBA.

Security
Topic Elevated privileges Position Only granted to GDBA personnel. Elevated privileges include anything beyond Select, Insert, Update, Delete and the ability to create/maintain stored procedures. Account is disabled (SQL Server 2005) GDBA use only (SQL Server 2000 and prior) The sa account has full privileges within SQL Server. It has been used by worms and viruses to gain access to SQL Server. GDBA use only. Granted to the core GDBA SQL Server team and to the appropriate VCoE DBA team. GDBA use only. GDBA use only. Granted to the core GDBA SQL Server team and to the appropriate VCoE DBA team. Neither the application team nor any users have direct access to any GDBA database server. Windows Authentication only (preferred and default). Windows and SQL Server Authentication (mixed mode) (allowed) Windows authentication allows a user to connect through their Windows account. With SQL Server authentication, a user is validated by providing a login name and password. Because theres no password involved, Windows authentication is more secure. However, there are cases where Windows authentication will not work, such as connecting from a UNIX client, so mixed mode authentication is allowed. Windows password policies are enforced. These policies are defined by the HP IT Security group. They call for passwords to adhere to complexity rules, to lock after 5 unsuccessful logins, and to expire within a time frame.

sa account

sysadmin authority

dbo authority Server access

Authentication mode

SQL Server Authenticated Login Passwords

Miscellaneous
Topic Application code on the database server
SQL Server Standards

Position Prohibited. This includes any executables, DLLs, scripts, etc. SQL Server stored procedures
4 HP Restricted

Application files on the database server File Shares

are allowed. Prohibited. No application data outside the actual database is allowed on the database server. Prohibited. No file shares are allowed on the database servers. Since the application cant store any data on the server, theres no need to provide any shares. Prohibited. The database servers are to run only the database and whatever it needs to function. IIS, Tidal or any other software is not allowed.

Other facilities on the database server

SQL Server Standards

5 HP Restricted