| title | Surface area configuration | ||||||
|---|---|---|---|---|---|---|---|
| description | Learn how to change feature defaults for SQL Server installation and selectively enable or disable features of a running instance of SQL Server. | ||||||
| author | VanMSFT | ||||||
| ms.author | vanto | ||||||
| ms.reviewer | randolphwest | ||||||
| ms.date | 05/26/2023 | ||||||
| ms.service | sql | ||||||
| ms.subservice | security | ||||||
| ms.topic | how-to | ||||||
| helpviewer_keywords |
|
[!INCLUDE SQL Server]
In the default configuration of new installations of [!INCLUDEssNoVersion], many features are not enabled. [!INCLUDEssNoVersion] selectively installs and starts only key services and features, to minimize the number of features that can be attacked by a malicious user. A system administrator can change these defaults at installation time and also selectively enable or disable features of a running instance of [!INCLUDEssNoVersion]. Additionally, some components may not be available when connecting from other computers until protocols are configured.
Note
Unlike new installations, no existing services or features are turned off during an upgrade, but additional surface area configuration options can be applied after the upgrade is completed.
Use [!INCLUDEssNoVersion] Configuration Manager to start and stop services, configure the startup options, and enable protocols and other connection options.
-
On the Start menu, point to All Programs, point to [!INCLUDEssCurrentUI], point to Configuration Tools, and then select SQL Server Configuration Manager.
-
Use the SQL Server Services area to start components and configure the automatic starting options.
-
Use the SQL Server Network Configuration area to enable connection protocols, and connection options such as fixed TCP/IP ports, or forcing encryption.
-
For more information, see SQL Server Configuration Manager. Remote connectivity can also depend upon the correct configuration of a firewall. For more information, see Configure the Windows Firewall to Allow SQL Server Access.
Enabling and disabling [!INCLUDEssNoVersion] features can be configured using facets in [!INCLUDEssManStudioFull].
-
In [!INCLUDEssManStudio] connect to a component of [!INCLUDEssNoVersion].
-
In Object Explorer, right-click the server, and then select Facets.
-
In the View Facets dialog box, expand the Facet list, and select the appropriate Surface Area Configuration facet (Surface Area Configuration, Surface Area Configuration for Analysis Services, or Surface Area Configuration for Reporting Services).
-
In the Facet properties area, select the values that you want for each property.
-
Select OK.
To periodically check the configuration of a facet, use Policy-Based Management. For more information about Policy-Based Management, see Administer Servers by Using Policy-Based Management.
You can also set [!INCLUDEssDE] options using the sp_configure stored procedure. For more information, see Server Configuration Options (SQL Server).
To change the EnableIntegrated Security property of [!INCLUDEssRS], use the property settings in [!INCLUDEssManStudioFull]. To change the Schedule events and report delivery property and the Web service and HTTP access property, edit the RSReportServer.config configuration file.
Use the Invoke-PolicyEvaluation [!INCLUDEssNoVersion] PowerShell cmdlet to invoke Surface Area Configuration Policies. For more information, see Use the Database Engine cmdlets.
To turn endpoints off, use Policy-Based Management. To create and alter the properties of endpoints, use CREATE ENDPOINT (Transact-SQL) and ALTER ENDPOINT (Transact-SQL).