Recently I've been working on deployments of Windows Server 2008 and SQL Server 2008.  I thought I'd start to post some of the nuances of these new product editions. 

One of the first things to encounter is, not surprisingly, security.  Security is always loads of fun for deployments (ha ha), but actually I kind of enjoy the challenge of working within the confines of good security practices.

Windows Server 2008 is based on the Vista core, and inherits a lot from it.  One of these is the Windows Firewall.  I think this is a really good thing...having that extra layer of security is definitely wise, and is a nice blanket I actually miss from my Sun/Linux days--so I'm actually glad to have it there.  But, it also means you have to configure security for just about every new application, port, etc.

For SQL Server, this really isn't too difficult.  However since I do so many deployments, I'm always interested in a shortcut...and I like to document changes, get them approved by client syadmin, then apply them by script whenever possible. 

So, below is a sample script I put together for applying firewall changes needed by SQL Server 2008 when running on Windows 2008. This is a work in progress but so far so good. Note that this script opens just about every port SQL Server might use, so make sure to use only those lines that apply to any given server (e.g. don't open HTTP/80 if you're not running anything reporting services, etc.).

Of course, if you're using named instances for SQL Services, those instances by default will have dynamic (i.e. random) ports.  Dynamic ports don't work that well with a server firewall (and neither do they work well for Kerberos delegation configurations--but that's another topic).  So, a best practice is probably to set static ports for each instance and manage them that way.

One thing to make sure to do if using command lines like this is to specify rule names on the command line, then those names show up in the GUI-based firewall control panel (firewall.cpl)--see the screen grab down below. If you don't--then each rule will simply be named "unspecified"...not a nice thing to leave for the sysadmin to figure out later!

@rem firewallconfig.cmd by Rob Kerr 

@echo =========  SQL Server Ports  ===================
@echo Enabling SQLServer default instance port 1433
netsh firewall set portopening TCP 1433 "SQLServer"

@echo Enabling Dedicated Admin Connection port 1434
netsh firewall set portopening TCP 1434 "SQL Admin Connection"

@echo Enabling conventional SQL Server Service Broker port 4022 
netsh firewall set portopening TCP 4022 "SQL Service Broker"

@echo Enabling Transact-SQL Debugger/RPC port 135
netsh firewall set portopening TCP 135 "SQL Debugger/RPC"

@echo =========  Analysis Services Ports  ==============
@echo Enabling SSAS Default Instance port 2383
netsh firewall set portopening TCP 2383 "Analysis Services"

@echo Enabling SQL Server Browser Service port 2382
netsh firewall set portopening TCP 2382 "SQL Browser"

@echo =========  Misc Applications  ==============
@echo Enabling HTTP port 80
netsh firewall set portopening TCP 80 "HTTP"

@echo Enabling SSL port 443
netsh firewall set portopening TCP 443 "SSL"

@echo Enabling port for SQL Server Browser Service's 'Browse' Button
netsh firewall set portopening UDP 1434 "SQL Browser"

@echo Allowing multicast broadcast response on UDP (Browser Service Enumerations OK)
netsh firewall set multicastbroadcastresponse ENABLE

Microsoft’s security focus over the last few years has brought many improvements in the overall level of security.  Along with this level of security also comes an increasing number of hoops to jump through to accomplish simple tasks.

Recently I found that it became impossible to install software from network shares onto Windows 64-bit servers.  Trying to do so resulted in the error message:

“Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”

Searching on the Internet, the most commonly suggested workaround I found was to uninstall the Internet Explorer Enhanced Security Configuration from the computer.  This actually does work, but really doesn't sound like a great solution to me. 

As it turns out, the solution is quite simple...but also a bit of a head scratcher.  You wouldn’t think accessing files on your LAN would be controlled by an Internet Explorer setting (well maybe you would, but I wouldn’t!).  Yet, changing IE settings is the easy way to solve this problem.

The solution is to add the LAN server where your install source share is to the Local Intranet zone in Internet Explorer.  I suppose adding to the Trusted Sites would probably work, but since a share location is in the intranet for most of us, I think that’s the more logical place to make this change.

Here’s how I solved it on a 64-bit Windows 2003 R2 server with SP2 and IE7:

1. In Internet explorer, select Tools/Options, then click on the Security tab
2. Select the Local Intranet icon, then press the Sites button
   
   
   
3. In the Add this website to the zone textbox, enter the name of the server in the form file://servername, then click the Add button
   
   
4. Click the Close button on the bottom of the dialog, then OK on the Internet Options dialog

With that change made, your server should now be able to run software from network locations.  No more need to copy them to a local file location first!