Securing SQL Server

Protecting Your Database from Attackers

By

  • Denny Cherry, (MCSA, MCDBA, MCTS, MCITP, MCM) has been working with Microsoft technology for over 15 years starting with Windows 3.51 and SQL Server 6.5.

Securing SQL Server: Protecting Your Database from Attackers provides readers with the necessary tools and techniques to help maintain the security of databases within their environment. It begins with a discussion of network security issues, including public versus private IP addresses; accessing an SQL server from home; physical security; and testing network security. The remaining chapters cover database encryption; SQL password security; SQL injection attacks; database backup security; security auditing; and server rights. The Appendix features checklists that database administrators can use to pass external audits.
View full description

 

Book information

  • Published: January 2011
  • Imprint: SYNGRESS
  • ISBN: 978-1-59749-625-4

Reviews

"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He’s a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn’t work, he’s speaking from experience. Active in the community, his passion is sharing. You’ll enjoy this book."

-Buck Woody, Senior Technology Specialist, Microsoft

 

"Securing SQL Server is a must read for any architect or database administrator wanting to secure their SQL Servers. Given the sensitive data that SQL Servers could hold, it is vital that one understands the potential attacks and how to protect yourself from them. This is the book to help you understand."

-InfoSecReviews Book Awards




Table of Contents


Dedication

Acknowledgments

Author Bio

Introduction

Chapter 1 Securing the Network

Securing the Network

Public IP Addresses versus Private IP Addresses

Accessing SQL Server from Home

Physical Security

Social Engineering

Finding the Instances

Testing the Network Security

Summary

Chapter 2 Database Encryption

Database Encryption

Encrypting Data within Tables

Encrypting Data at Rest

Encrypting Data on the Wire

Encrypting Data with MPIO Drivers

Encrypting Data via HBAs

Summary

Chapter 3 SQL Password Security

SQL Server Password Security

Strong Passwords

Encrypting Client Connection Strings

Application Roles

Using Windows Domain Policies to Enforce Password Length

Summary

Chapter 4 Securing the Instance

What to Install, and When?

SQL Authentication and Windows Authentication

Password Change Policies

Auditing Failed Logins

Renaming the SA Account

Disabling the SA Account

Securing Endpoints

Stored Procedures as a Security Measure

Minimum Permissions Possible

Linked Servers

Using Policies to Secure Your Instance

SQL Azure Specific Settings

Instances That Leave the Office

Summary

Chapter 5 Additional Security for an Internet Facing SQL Server and Application

SQL CLR

Extended Stored Procedures

Protecting Your Connection Strings

Database Firewalls

Clear Virtual Memory Pagefile

User Access Control (UAC)

Other Domain Policies to Adjust

Reporting Services

Summary

Chapter 6 SQL Injection Attacks

What Is an SQL Injection Attack?

Why Are SQL Injection Attacks So Successful?

How to Protect Yourself from an SQL Injection Attack

Cleaning Up the Database After an SQL Injection Attack

Summary

Chapter 7 Database Backup Security

Overwriting Backups

Media Set and Backup Set Passwords

Backup Encryption

Transparent Data Encryption

Compression and Encryption

Offsite Backups

Summary

Chapter 8 Auditing for Security

Login Auditing

Data Modification Auditing

Data Querying Auditing

Schema Change Auditing

Using Policy-Based Management to Ensure Policy Compliance

C2 Auditing

Common Criteria Compliance

Summary

Chapter 9 Server Rights

OS Rights Needed by the SQL Server Service

OS Rights Needed by the DBA

OS Rights Needed to Install Service Packs

OS Rights Needed to Access SSIS Remotely

Console Apps Must Die

Default Sysadmin Rights

Vendor’s and the Sysadmin Fixed-Server Role

Summary

Appendix A: External Audit Checklists

Index