The basic purpose of the SQL Server Browser service is to provide instance and port information to incoming connection requests.
To configure a better and safe access mechanism for SQL Server, a DBA should have proper understanding of the SQL Server Browser service.
Best practices for using SQL Server browser service
The way you use SQL Server Browser service affects the access to your SQL Server instances, hence the security of installed instances. At one end, the most security conscious approach may be to use customized static ports for your instances and access SQL Server
with fully qualified connection parameters. It would include IP + InstanceName + Port. In this configuration your instance would not be exposed to the network also more parameters are required in the connection string.
It would be a secure configuration compared to having the SQL Server Browser service running and serving the incoming connection requests with instance and port information. If you have no problem in using fully customized connection strings (IP + Name
+ Port), then you can stop the browser service permanently and access the instance through a fully qualified connection string.
In another type of configuration, if the instance is configured to use dynamic ports each time, then SQL Server Browser service should be running, otherwise there would be no way to keep track of the dynamic ports that are assigned.
If you have just a default instance installed (with default port) on your machine then SQL Server Browser service may be stopped to avoid overhead.
As part of best practices, always run SQL Server Browser service with a minimum privileged account. According to BOL any Windows user having the following rights would be capable to run the SQL Server Browser service.
- Deny access to this computer from the network
- Deny logon locally
- Deny logon as a batch job
- Deny logon through Terminal Services
- Log on as a service
- Read and write the SQL Server registry keys related to network communication (ports and pipes)
You can change the default account of the browser service (local system), to any other user having the above mentioned rights on the machine.
Refer