To reduce the attack surface area and to make sure you are not affected by undiscovered service vulnerabilities, disable any service that is not required. Run those services that remain using least privileged accounts.
In this step, you:
Disable unused SQL Server services .
Disable the Microsoft DTC (if not required) .
Note | To disable a service, set its startup type to Disabled using the Services MMC snap-in in the Computer Management tool. |
During a SQL Service installation, the following four Windows services are installed:
MSSQLSERVER (or MSSQL$InstanceName for a named instance). This is the SQL Server database engine and is the only mandatory service.
SQLSERVERAGENT (or SQLAgent$InstanceName for a named instance). With this support service, you can schedule commands and notify operators when errors occur.
MSSQLServerADHelper . This provides Active Directory integration services, including database instance registration.
Microsoft Search . This provides full text search capabilities. This service must always run under the local system account.
Only the MSSQLSERVER database engine is required. The remaining services provide additional functionality and are required only in specific scenarios. Disable these services if they are not required.
Note | SQL Server should not be configured to run as the local System account or any account that is a member of the local Administrators group . For details about configuring the service account used to run MSSQLSERVER, see "Step 4: Accounts." |
If you do not use distributed transactions through the Microsoft DTC, disable the service.