Is it good to avoid using the default ports for SQL Server?

Even though security through obscurity isn't actual security I won't say there aren't any cases where it helps.

f an attacker wants to know where your service is listening they can easily find out, but in the event of a dumb automated attack, you could be lucky if you changed the port. The only time I can remember where it actually helped is during the time of SQL Slammer where SQL Server 2000 was vulnerable and a worm spread by generating random ip's and connecting to the default SQL Server browser port. If I recall correctly it was official advice at the time to change the ports until you could patch your server (either because there wasn't a patch available immediately or because you didn't have a window)

For that worm to enter your network at the time you needed to have a SQL Server connected to the internet instead of behind a firewall, which you shouldn't, but anyhow, a non-default port number could have helped in that specific case. I do however agree that if you have proper security in place the complexity you add probably doesn't outweigh the chances of it preventing an incident.  Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice. Which was asinine then and still asinine now. Security through arguable obscurity isn't security at all.

Is this advice still relevant? IMHO it was never relevant. It was required for some compliance purposes because the people drafting up those compliances did not understand what they were doing, again, IMHO. Should ALL of the above ports be changed?No What is the default port for sql server? TCP 1433 By default, the typical ports used by SQL Server and associated database engine services are TCP 1433, 4022, 135, 1434, UDP 1434. The table below explains these ports in greater detail. A named instance uses dynamic ports.