Locking Down SharePoint's SQL Server

   
Best practice guidance for SharePoint 2013 farms is that SQL Server's old familiar default port 1433 is now persona non grata for secure farm communication with the database. That port, and its near relative UDP 1434, should be specifically blocked in firewall rules of the SQL Server. To facilitate communication a custom port is chosen and an alias is required not only on the SQL Server, but on each SharePoint Server. SQL Server Client and Management tools need to be installed in order to set the alias on each of these machines also. The new port needs to have a firewall exception created for it, just as would previously been done for 1433.
 
While it adds some developer pain to configure SQL Server Management Studio tools on each SharePoint Server, that is balanced out by the convenience of checking permissions or other SQL maintenance tasks without having to actually log into the SQL Server. Double check aliases carefully and choose a port number that is not a candidate for transposing. Have you ever suffered your trusty PowerShell console complaining that "The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered" just when you are about to script your site collections? You might if you mistype a port number in one of your SQL client aliases!