SQL Server hardening: disable SA account, use Windows authentication (not SQL auth), enable TDE, enable audit logs, least privilege for application accounts, disable xp_cmdshell, patch regularly.
xp_cmdshell provides OS command execution from SQL — disable unless explicitly needed. Application accounts should only have SELECT/INSERT/UPDATE on needed tables — not db_owner. TDE encrypts database files at rest.