A survey last year by David Litchfield of NGS Software showed "...there are approximately 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 Oracle database servers directly accessible on the Internet." Egad! That's almost certainly not a good thing. Many of them are accessible by accident and many of them are run by just plain incompetent people; 4% of the SQL servers were so old they were still vulnerable to the Slammer worm from many years ago. One point it raises, even if you don't in intend for your server to be accessible directly on the Internet, is defense in-depth. There should be a firewall on the server so that at least the attack surface is somewhat restricted. Out of this philosophy, starting with Windows Server 2008, the Windows Firewall is turned on by default. Many users will notice this change in the form of connectivity failures, but that's a good thing because it forces you to think about what's open and closed on your server and make a decision about it. An entry on the SQL Server Security Blog discusses these changes and how you can approach them to make your Windows Server 2008-hosted SQL Servers secure. First you have to locate your servers; it's a good bet that quite a few owners of those Internet-facing servers that Litchfield found don't even know the servers are up. You need to review the host security implementations on those servers to make sure that they conform to your policy. You also need to review your network firewall policies to make sure that the two are compatible. Verify that it's all working as expected; in other words, test the configuration. Then remedy the problems. Read the blog for more details. On your Windows Server 2003 servers you might even want to turn the firewall on as a defensive measure. Or you might want to turn it off on 2008. But it should be you making a conscious decision.