Surface Area Configuration (SAC) is an example of Microsoft's commitment to security initiatives in SQL Server 2005. SAC refers to two things: the features and components that are not implicitly installed or activated during setup and a new tool that you can use to enable or disable features, services, and network protocols. By having you selectively install or activate the components and by providing the SAC tool, SQL Server 2005 lets you protect your SQL Server 2005 environment by reducing the attackable area of a system.
When you install SQL Server 2005, components such as Analysis Services, Reporting Services, Notification Services, Full-Text Search, and Integration Services are not implicitly selected. You can explicitly select to install these components.
SQL Server 2005 by default disables several engine features, such as CLR integration, execution of xp_cmdshell extended stored procedures, SQLMail, Database Mail, execution of OLE automation stored procedures, ad hoc distributed queries using OPENDATASET and OPENDATASOURCE, Web Assistant stored procedures, and so on. You can turn these features on or off by using the sp_configure stored procedure or by using the SAC tool. As in the database engine, certain Analysis Services features are also turned off. These include ad hoc data mining queries using OPENROWSET, anonymous connections, user-defined functions written using .NET CLR or COM, and linked objects. You can use the SAC tool (which you open by selecting Start | All Programs | Microsoft SQL Server 2005 | Configuration Tools | SQL Server Surface Area Configuration) to enable or disable these features as well. The sys.system_components_surface_area_configuration security catalog view can be used to obtain a list of executable system objects that can be enabled or disabled by SAC.
Figure 7.4 shows the SAC tool to configure services and network protocols.
Figure 7.4. SAC is a new tool dedicated to protecting SQL Server 2005 systems by reducing the attackable surface area.
Figure 7.5 shows the SAC tool for configuring database engine and Analysis Services features.
Figure 7.5. In addition to services and network connections, SAC can also be used to enable and disable database engine and Analysis Services features.
Table 7.1 lists the engine features that can be turned on or off.