Set-DbaExtendedProtection

Synopsis

Configures Extended Protection for Authentication on SQL Server network protocols

Description

Modifies the Extended Protection registry setting for SQL Server network protocols to enhance connection security. Extended Protection helps prevent authentication relay attacks by requiring additional authentication at the network protocol level.

This security feature is particularly useful in environments where you need to protect against man-in-the-middle attacks or when connecting over untrusted networks. When set to “Required”, clients must support Extended Protection to connect, which may require updating older applications or connection strings.

The function modifies Windows registry values directly and requires administrative privileges on the target server. Changes take effect immediately for new connections without requiring a SQL Server restart. This setting requires access to the Windows Server and not the SQL Server instance. The setting is found in SQL Server Configuration Manager under the properties of SQL Server Network Configuration > Protocols for “InstanceName”.

Syntax

Set-DbaExtendedProtection
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-Credential] <PSCredential>]
    [[-Value] <Object>]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Set-DbaExtendedProtection

Set Extended Protection of SQL Engine on the default (MSSQLSERVER) instance on localhost to “Off”. Requires (and checks for) RunAs admin.

Example: 2

PS C:\> Set-DbaExtendedProtection -Value Required

Set Extended Protection of SQL Engine on the default (MSSQLSERVER) instance on localhost to “Required”. Requires (and checks for) RunAs admin.

Example: 3

PS C:\> Set-DbaExtendedProtection -SqlInstance sql01\SQL2008R2SP2

Set Extended Protection of SQL Engine for the SQL2008R2SP2 on sql01 to “Off”. Uses Windows Credentials to both connect and modify the registry.

Example: 4

PS C:\> Set-DbaExtendedProtection -SqlInstance sql01\SQL2008R2SP2 -Value Allowed

Set Extended Protection of SQL Engine for the SQL2008R2SP2 on sql01 to “Allowed”. Uses Windows Credentials to both connect and modify the registry.

Example: 5

PS C:\> Set-DbaExtendedProtection -SqlInstance sql01\SQL2008R2SP2 -WhatIf

Shows what would happen if the command were executed.

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

-Credential

Allows you to login to the computer (not SQL Server instance) using alternative Windows credentials

-Value

Specifies the Extended Protection level for SQL Server network protocols. Accepts “Off”, “Allowed”, or “Required” (or equivalent integers 0, 1, 2).
Use “Off” to disable Extended Protection, “Allowed” to accept both protected and unprotected connections, or “Required” to enforce Extended Protection for all client connections.
Defaults to “Off” when not specified. Setting to “Required” may prevent older applications from connecting unless they support Extended Protection authentication.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.

-WhatIf

If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.

-Confirm

If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.