Security is a double-edged sword. As an administrator, you want your servers to be as secure as possible, but often don't want to sacrifice functionality or have to pay an outrageous amount of money to secure your infrastructure. Unfortunately, many administrators have been victims of the belief that "it won't happen to me." With the increasing number of threats, you must ensure that you apply due diligence to protect your servers as much as possible. You are never going to be able to say with absolute certainty that your SQL Servers are invulnerable. It is a fact that regardless of how much money you spend, and how many rights and privileges you limit your users to, you will still be attacked.

Security isn't about guaranteeing a completely attack-proof system. It's about mitigating and responding to risk. It's about ensuring that you take the necessary steps to minimize the scope of the attack. This chapter takes a look at SQL Security from the outside in. You will learn about the different types of accounts and principals that are available. You will see how to control access to database objects, and how you can use some new tools to encrypt and protect your data. This chapter also includes some guidelines for providing a secure solution for deploying and managing your SQL Server.

It is important to note that the concepts discussed and examples given in this chapter have been tested to work in Windows XP and Windows Server 2003. As of this writing, ...