Surface Area Configuration (SAC)

Surface Area Configuration (SAC) is an example of Microsoft's commitment to security initiatives in SQL Server 2005. SAC refers to two things: the features and components that are not implicitly installed or activated during setup and a new tool that you can use to enable or disable features, services, and network protocols. By having you selectively install or activate the components and by providing the SAC tool, SQL Server 2005 lets you protect your SQL Server 2005 environment by reducing the attackable area of a system.

When you install SQL Server 2005, components such as Analysis Services, Reporting Services, Notification Services, Full-Text Search, and Integration Services are not implicitly selected. You can explicitly select to install these components.

SQL Server 2005 by default disables several engine features, such as CLR integration, execution of xp_cmdshell extended stored procedures, SQLMail, Database Mail, execution of OLE automation stored procedures, ad hoc distributed queries using OPENDATASET and OPENDATASOURCE, Web Assistant stored procedures, and so on. You can turn these features on or off by using the sp_configure stored procedure or by using the SAC tool. As in the database engine, certain Analysis Services features are also turned off. These include ad hoc data mining queries using OPENROWSET, anonymous connections, user-defined functions written using .NET CLR or COM, and linked objects. You can use the SAC tool (which you open by selecting Start | All Programs | Microsoft SQL Server 2005 | Configuration Tools | SQL Server Surface Area Configuration) to enable or disable these features as well. The sys.system_components_surface_area_configuration security catalog view can be used to obtain a list of executable system objects that can be enabled or disabled by SAC.

Figure 7.4 shows the SAC tool to configure services and network protocols.

Figure 7.4. SAC is a new tool dedicated to protecting SQL Server 2005 systems by reducing the attackable surface area.

Figure 7.5 shows the SAC tool for configuring database engine and Analysis Services features.

Figure 7.5. In addition to services and network connections, SAC can also be used to enable and disable database engine and Analysis Services features.

Table 7.1 lists the engine features that can be turned on or off.

Table 7.1. SQL Server 2005 Database Engine Features
Feature	`sp_configure` Option	Description	Default
CLR Integration	clr enabled	Enables executing .NET CLR stored procedures, triggers, user-defined types, and userdefined functions.	Off
HTTP Access	Not applicable	The tool lists all the current HTTP endpoints and allows you to start or stop an HTTP endpoint.	No HTTP endpoints are created by default.
`xp_cmdshell`	`xp_cmdshell`	Enables running an `xp_cmdshell` extended stored procedure, which allows running operating system commands from within SQL Server.	Off
Web Assistant Stored Procedures	Web Assistant Procedures	Allows generating HTML files from SQL Server databases.	Off
`OPENROWSET` and `OPENDATASOURCE` Support	Ad hoc distributed queries	Supports ad hoc connections to remote data sources without linked or remote servers.	Off
Database Mail	Database Mail XPs	Enables sending emails over SMTP by using Database Mail.	Off
SQL Mail	SQL Mail XPs enabled	Enables sending emails by using MAPI-based SQL Mail.	Off
OLE Automation	OLE automation procedures	Enables calling COM automation objects from within T-SQL code by using `sp_OAxxx` procedures.	Off
Service Broker Endpoints	Not applicable	Allows enabling or disabling endpoints created for Service Broker communication across instances.	No Service Broker Endpoints created by default.
SMO and DMO Extended Stored Procedures	SMO and DMO XPs	Enables access to SMO and DMO.	On
Remote Dedicated Administrator Connection (DAC)	Remote admin connections	Enables DAC from a remote computer.	Off
SQL Server Agent Extended Stored Procedures	Agent XPs	Enables executing SQL Server Agent extended stored procedures.	On
Replication Extended Stored Procedures	Replication XPs	Enables executing Replication extended stored procedures.	Off

Figure 7.4. SAC is a new tool dedicated to protecting SQL Server 2005 systems by reducing the attackable surface area.

Figure 7.5. In addition to services and network connections, SAC can also be used to enable and disable database engine and Analysis Services features.

Table 7.1. SQL Server 2005 Database Engine Features