To 1433 or not to 1433...that is the question

Published Jan 15 2019 01:39 PM 66 Views
Microsoft
First published on MSDN on Mar 17, 2011

I recently ran into a problem with one of my own internal applications and it re-raised a philosophical question I have had before with customers.  There are really two sides to the question:
1) Should I set my non-default instance to listen on TCP 1433?
2) Should I set my default instance to listen on something other than TCP 1433?

In both cases, I recommend "no".

Let me tackle the second question first since that is a simpler question.  I know that years ago one of the common security recommendations was to put your default instance on a port other than TCP 1433 to make it more difficult for attackers to find it.  However, I can say with complete comfort that if an attacker has a network trace that has a connection attempt to your instance, they can figure out the port on which your instance is listening very easily.  Even if you encrypt the conversation, the first five packets of the conversation are unencrypted because you cannot encrypt anything until you have contacted the instance.  Since those first five packets are the same for any connection attempt, it is very easy to detect them in a network trace.  Although I don't do this maliciously (I swear!), I do this on a regular basis when someone sends me a network trace to a named instance and neglects to tell me the port on which the instance is listening.

In addition, if you change your default instance to a port other than TCP 1433, you now need to specify it in every connection string - either directly (servername,port#) or indirectly via client alias.  Given how easy it is to find this conversation in a network, I really cannot see the additional effort as being worth the negligible security benefit (security by obfuscation is never a great idea).

The first question is a little bit more complex.  Setting your default instance to TCP 1433 does indeed give you the benefit of not having to specify the instance name or port number in the connection string.  This is because the SQL Server client libraries don't bother querying SQL Browser for the port number if they don't detect an instance name in the connection string.  Instead, they go straight to TCP 1433.

The downside to this approach shows up when you are working with application administrators who don't know anything about the SQL Server instance.  If they don't know that the instance is a named instance, they might configure their connection string as if the SQL Server instance was a default instance.  Since the instance is listening on TCP 1433, the attempt to connect will succeed.  The the real problem comes later when you decide to change the port on which your SQL Server instance is listening (maybe you read my blog:)).  If you do, but don't change the client connection string, the client won't be able to connect.  And, because the client thinks your instance is a default instance, it won't query SQL Browser, so will never find out the new port.  The only way to fix this is to create an alias on the client (tough to maintain over time) or to modify the connection string to specify an instance name.  Now, instead of just getting downtime on the SQL Server side, you have to take downtime on the client side, too.

In conclusion, given that there is a negligible security benefit to modifying the port for your default instance and there is significant potential for outages with setting your named instance to TCP 1433.  Therefore, with the exception of setting a static port for your named instances, I recommend you just leave the port settings to default.

P.S.  Please don't set any of your instances to TCP 1434 either.  While not technically wrong, it is very confusing since SQL Browser listens on UDP 1434 and hardly anybody references the protocol (TCP vs. UDP) when talking about ports.  Making sure both sides of the conversation are talking about the same service can then get quite confusing if you put SQL Server on TCP 1434.

Evan Basalik | Senior Support Escalation Engineer | Microsoft SQL Server Escalation Services


%3CLINGO-SUB%20id%3D%22lingo-sub-316383%22%20slang%3D%22en-US%22%3ETo%201433%20or%20not%20to%201433...that%20is%20the%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-316383%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20MSDN%20on%20Mar%2017%2C%202011%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EI%20recently%20ran%20into%20a%20problem%20with%20one%20of%20my%20own%20internal%20applications%20and%20it%20re-raised%20a%20philosophical%20question%20I%20have%20had%20before%20with%20customers.%26nbsp%3B%20There%20are%20really%20two%20sides%20to%20the%20question%3A%20%3CBR%20%2F%3E1)%20Should%20I%20set%20my%20non-default%20instance%20to%20listen%20on%20TCP%201433%3F%20%3CBR%20%2F%3E2)%20Should%20I%20set%20my%20default%20instance%20to%20listen%20on%20something%20other%20than%20TCP%201433%3F%3C%2FP%3E%0A%20%20%3CP%3EIn%20both%20cases%2C%20I%20recommend%20%22no%22.%3C%2FP%3E%0A%20%20%3CP%3ELet%20me%20tackle%20the%20second%20question%20first%20since%20that%20is%20a%20simpler%20question.%26nbsp%3B%20I%20know%20that%20years%20ago%20one%20of%20the%20common%20security%20recommendations%20was%20to%20put%20your%20default%20instance%20on%20a%20port%20other%20than%20TCP%201433%20to%20make%20it%20more%20difficult%20for%20attackers%20to%20find%20it.%26nbsp%3B%20However%2C%20I%20can%20say%20with%20complete%20comfort%20that%20if%20an%20attacker%20has%20a%20network%20trace%20that%20has%20a%20connection%20attempt%20to%20your%20instance%2C%20they%20can%20figure%20out%20the%20port%20on%20which%20your%20instance%20is%20listening%20very%20easily.%26nbsp%3B%20Even%20if%20you%20encrypt%20the%20conversation%2C%20the%20first%20five%20packets%20of%20the%20conversation%20are%20unencrypted%20because%20you%20cannot%20encrypt%20anything%20until%20you%20have%20contacted%20the%20instance.%26nbsp%3B%20Since%20those%20first%20five%20packets%20are%20the%20same%20for%20any%20connection%20attempt%2C%20it%20is%20very%20easy%20to%20detect%20them%20in%20a%20network%20trace.%26nbsp%3B%20Although%20I%20don't%20do%20this%20maliciously%20(I%20swear!)%2C%20I%20do%20this%20on%20a%20regular%20basis%20when%20someone%20sends%20me%20a%20network%20trace%20to%20a%20named%20instance%20and%20neglects%20to%20tell%20me%20the%20port%20on%20which%20the%20instance%20is%20listening.%3C%2FP%3E%0A%20%20%3CP%3EIn%20addition%2C%20if%20you%20change%20your%20default%20instance%20to%20a%20port%20other%20than%20TCP%201433%2C%20you%20now%20need%20to%20specify%20it%20in%20every%20connection%20string%20-%20either%20directly%20(servername%2Cport%23)%20or%20indirectly%20via%20client%20alias.%26nbsp%3B%20Given%20how%20easy%20it%20is%20to%20find%20this%20conversation%20in%20a%20network%2C%20I%20really%20cannot%20see%20the%20additional%20effort%20as%20being%20worth%20the%20negligible%20security%20benefit%20(security%20by%20obfuscation%20is%20never%20a%20great%20idea).%3C%2FP%3E%0A%20%20%3CP%3EThe%20first%20question%20is%20a%20little%20bit%20more%20complex.%26nbsp%3B%20Setting%20your%20default%20instance%20to%20TCP%201433%20does%20indeed%20give%20you%20the%20benefit%20of%20not%20having%20to%20specify%20the%20instance%20name%20or%20port%20number%20in%20the%20connection%20string.%26nbsp%3B%20This%20is%20because%20the%20SQL%20Server%20client%20libraries%20don't%20bother%20querying%20SQL%20Browser%20for%20the%20port%20number%20if%20they%20don't%20detect%20an%20instance%20name%20in%20the%20connection%20string.%26nbsp%3B%20Instead%2C%20they%20go%20straight%20to%20TCP%201433.%3C%2FP%3E%0A%20%20%3CP%3EThe%20downside%20to%20this%20approach%20shows%20up%20when%20you%20are%20working%20with%20application%20administrators%20who%20don't%20know%20anything%20about%20the%20SQL%20Server%20instance.%26nbsp%3B%20If%20they%20don't%20know%20that%20the%20instance%20is%20a%20named%20instance%2C%20they%20might%20configure%20their%20connection%20string%20as%20if%20the%20SQL%20Server%20instance%20was%20a%20default%20instance.%26nbsp%3B%20Since%20the%20instance%20is%20listening%20on%20TCP%201433%2C%20the%20attempt%20to%20connect%20will%20succeed.%26nbsp%3B%20The%20the%20real%20problem%20comes%20later%20when%20you%20decide%20to%20change%20the%20port%20on%20which%20your%20SQL%20Server%20instance%20is%20listening%20(maybe%20you%20read%20my%20blog%3A)).%26nbsp%3B%20If%20you%20do%2C%20but%20don't%20change%20the%20client%20connection%20string%2C%20the%20client%20won't%20be%20able%20to%20connect.%26nbsp%3B%20And%2C%20because%20the%20client%20thinks%20your%20instance%20is%20a%20default%20instance%2C%20it%20won't%20query%20SQL%20Browser%2C%20so%20will%20never%20find%20out%20the%20new%20port.%26nbsp%3B%20The%20only%20way%20to%20fix%20this%20is%20to%20create%20an%20alias%20on%20the%20client%20(tough%20to%20maintain%20over%20time)%20or%20to%20modify%20the%20connection%20string%20to%20specify%20an%20instance%20name.%26nbsp%3B%20Now%2C%20instead%20of%20just%20getting%20downtime%20on%20the%20SQL%20Server%20side%2C%20you%20have%20to%20take%20downtime%20on%20the%20client%20side%2C%20too.%3C%2FP%3E%0A%20%20%3CP%3EIn%20conclusion%2C%20given%20that%20there%20is%20a%20negligible%20security%20benefit%20to%20modifying%20the%20port%20for%20your%20default%20instance%20and%20there%20is%20significant%20potential%20for%20outages%20with%20setting%20your%20named%20instance%20to%20TCP%201433.%26nbsp%3B%20Therefore%2C%20with%20the%20exception%20of%20setting%20a%20static%20port%20for%20your%20named%20instances%2C%20I%20recommend%20you%20just%20leave%20the%20port%20settings%20to%20default.%3C%2FP%3E%0A%20%20%3CP%3EP.S.%26nbsp%3B%20Please%20don't%20set%20any%20of%20your%20instances%20to%20TCP%201434%20either.%26nbsp%3B%20While%20not%20technically%20wrong%2C%20it%20is%20very%20confusing%20since%20SQL%20Browser%20listens%20on%20UDP%201434%20and%20hardly%20anybody%20references%20the%20protocol%20(TCP%20vs.%20UDP)%20when%20talking%20about%20ports.%26nbsp%3B%20Making%20sure%20both%20sides%20of%20the%20conversation%20are%20talking%20about%20the%20same%20service%20can%20then%20get%20quite%20confusing%20if%20you%20put%20SQL%20Server%20on%20TCP%201434.%20%3CBR%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3E%3CSTRONG%3E%20Evan%20Basalik%20%7C%20Senior%20Support%20Escalation%20Engineer%20%7C%20Microsoft%20SQL%20Server%20Escalation%20Services%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-316383%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Mar%2017%2C%202011%20I%20recently%20ran%20into%20a%20problem%20with%20one%20of%20my%20own%20internal%20applications%20and%20it%20re-raised%20a%20philosophical%20question%20I%20have%20had%20before%20with%20customers.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-316383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Econnectivity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jan 15 2019 01:39 PM
Updated by: