O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing SQL Server, 2nd Edition

Book Description

SQL server is the most widely used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.

In Securing SQL Server, 2e, readers learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book written by Denny Cherry, a Microsoft SQL MVP and one of the biggest names in SQL server today, readers learn how to properly secure a SQL server database from internal and external threats using best practices as well as specific tricks the authors employ in their roles as database administrators for some of the largest SQL server deployments in the world.

"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He's a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn't work, he's speaking from experience. Active in the community, his passion is sharing. You'll enjoy this book."--Buck Woody, Senior Technology Specialist, Microsoft

  • Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
  • Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2012 (Denali)
  • Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Acknowledgements
  6. Dedication
  7. Author Biography
  8. About the Technical Editor
  9. Introduction
  10. Chapter 1. Securing the Network
    1. Securing the network
    2. Public IP Addresses versus private IP Addresses
    3. Accessing SQL Server from home
    4. Physical security
    5. Social engineering
    6. Finding the instances
    7. Testing the network security
    8. Summary
    9. References
  11. Chapter 2. Database Encryption
    1. Database encryption
    2. Encrypting data within tables
    3. Encrypting data at rest
    4. Encrypting data on the wire
    5. Encrypting data with MPIO drivers
    6. Encrypting data via HBAs
    7. Summary
  12. Chapter 3. SQL Password Security
    1. SQL Server Password Security
    2. Strong Passwords
    3. Contained Database Logins in SQL Server 2012
    4. Encrypting client connection strings
    5. Application Roles
    6. Using Windows domain policies to enforce password length
    7. Contained Databases
    8. Summary
    9. References
  13. Chapter 4. Securing the Instance
    1. What to Install, and When?
    2. SQL Authentication and Windows Authentication
    3. Password Change Policies
    4. Auditing Failed Logins
    5. Renaming the SA Account
    6. Disabling the SA Account
    7. Securing Endpoints
    8. Stored Procedures as a Security Measure
    9. Minimum Permissions Possible
    10. Instant File Initialization
    11. Linked Servers
    12. Using Policies to Secure Your Instance
    13. SQL Azure Specific Settings
    14. Instances That Leave the Office
    15. Securing “Always On”
    16. Securing Contained Databases
    17. Summary
  14. Chapter 5. Additional Security for an Internet Facing SQL Server and Application
    1. SQL CLR
    2. Extended stored procedures
    3. Protecting Your Connection Strings
    4. Database Firewalls
    5. Clear virtual memory pagefile
    6. User access control (UAC)
    7. Other domain policies to adjust
    8. Summary
  15. Chapter 6. Analysis Services
    1. Logging into Analysis Services
    2. Securing Analysis Services Objects
    3. Summary
  16. Chapter 7. Reporting Services
    1. Setting up SSRS
    2. Service Account
    3. Web Service URL
    4. Database
    5. Report Manager URL
    6. E-mail Settings
    7. Execution Account
    8. Encryption Keys
    9. Scale-Out Deployment
    10. Logging onto SQL Server Reporting Services for the first time
    11. Security within reporting services
    12. Reporting services authentication options
    13. Report server object rights
    14. Summary
  17. Chapter 8. SQL Injection Attacks
    1. What is an SQL Injection attack?
    2. Why are SQL Injection attacks so successful?
    3. How to protect yourself from an SQL Injection attack
    4. Cleaning up the database after an SQL Injection attack
    5. Other front-end security issues
    6. Using xEvents to monitor for SQL Injection
    7. Summary
    8. Reference
  18. Chapter 9. Database Backup Security
    1. Overwriting backups
    2. Media set and backup set passwords
    3. Backup encryption
    4. Transparent data encryption
    5. Compression and encryption
    6. Encryption and Data Deduplication
    7. Offsite backups
    8. Summary
    9. References
  19. Chapter 10. Storage Area Network Security
    1. Securing the array
    2. Securing the storage switches
    3. Summary
  20. Chapter 11. Auditing for Security
    1. Login auditing
    2. Data modification auditing
    3. Data querying auditing
    4. Schema change auditing
    5. Using policy-based management to ensure policy compliance
    6. C2 auditing
    7. Common Criteria compliance
    8. Summary
  21. Chapter 12. Server Rights
    1. SQL Server service account configuration
    2. OS rights needed by the SQL Server service
    3. OS rights needed by the DBA
    4. OS rights needed to install service packs
    5. OS rights needed to access SSIS remotely
    6. Console Apps must die
    7. Fixed-server roles
    8. User defined server roles
    9. Fixed database roles
    10. User defined database roles
    11. Default sysadmin rights
    12. Vendor’s and the sysadmin fixed-server role
    13. Summary
  22. Chapter 13. Securing Data
    1. Granting rights
    2. Denying rights
    3. Revokeing rights
    4. Column level permissions
    5. Row level permissions
    6. Summary
  23. Appendix A. External Audit Checklists
  24. Index