Securing SQL Server: Disabling SQL Browser & Setting Static Ports – Tilaa Support desk

The SQL Server Browser service (UDP port 1434) is often targeted in DDoS amplification attacks. For a secure production environment, we recommend disabling this service completely.

The Risk:
If left open to the internet, attackers can abuse the SQL Browser service to flood victims with traffic. Tilaa may block this port if abuse is detected.

The Consequence:
Disabling the SQL Browser means clients can no longer "find" your Named Instance automatically (e.g., connecting to SERVER\SQLEXPRESS).
You must configure a Static TCP Port and specify that port in your connection string.

Step 1: Set a Static TCP Port

Before disabling the Browser service, ensure your instance listens on a fixed port so you can still connect.

Open SQL Server Configuration Manager.
Navigate to SQL Server Network Configuration > Protocols for [YOUR_INSTANCE].
Right-click TCP/IP and select Properties.
Go to the IP Addresses tab.
Scroll down to the section IPAll.
TCP Dynamic Ports: Remove the 0 (make it empty).
TCP Port: Enter your desired port (e.g., 1433 for default or 7500 for custom).
Click OK.

Step 2: Disable SQL Server Browser

Now that we have a fixed port, we can safely kill the vulnerable service.

In Configuration Manager, go to SQL Server Services.
Right-click on SQL Server Browser and select Properties.
On the Service tab, change Start Mode to Disabled.
Click Stop to halt the service immediately.

Finally, restart the main SQL Server service to apply the port changes.

Step 3: Connecting with a Static Port

Since the Browser service is gone, you must tell your applications exactly which port to use.

Connection String Example:

Server=myServerAddress,7500;Database=myDataBase;User Id=myUsername;Password=myPassword;

Note the comma (,) between the address and the port.

Step 4: Update Firewall

Don't forget to update your Windows Firewall!

Allow TCP traffic on your chosen port (e.g., 7500).
Block UDP port 1434 (SQL Browser) to prevent abuse.