Securing SQL Server book cover

Securing SQL Server

Protecting Your Database from Attackers

Securing SQL Server: Protecting Your Database from Attackers provides readers with the necessary tools and techniques to help maintain the security of databases within their environment. It begins with a discussion of network security issues, including public versus private IP addresses; accessing an SQL server from home; physical security; and testing network security. The remaining chapters cover database encryption; SQL password security; SQL injection attacks; database backup security; security auditing; and server rights. The Appendix features checklists that database administrators can use to pass external audits.


Published: January 2011

Imprint: Syngress

ISBN: 978-1-59749-625-4


  • "Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He’s a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn’t work, he’s speaking from experience. Active in the community, his passion is sharing. You’ll enjoy this book."

    -Buck Woody, Senior Technology Specialist, Microsoft


    "Securing SQL Server is a must read for any architect or database administrator wanting to secure their SQL Servers. Given the sensitive data that SQL Servers could hold, it is vital that one understands the potential attacks and how to protect yourself from them. This is the book to help you understand."

    -InfoSecReviews Book Awards


  • Dedication


    Author Bio


    Chapter 1 Securing the Network

    Securing the Network

    Public IP Addresses versus Private IP Addresses

    Accessing SQL Server from Home

    Physical Security

    Social Engineering

    Finding the Instances

    Testing the Network Security


    Chapter 2 Database Encryption

    Database Encryption

    Encrypting Data within Tables

    Encrypting Data at Rest

    Encrypting Data on the Wire

    Encrypting Data with MPIO Drivers

    Encrypting Data via HBAs


    Chapter 3 SQL Password Security

    SQL Server Password Security

    Strong Passwords

    Encrypting Client Connection Strings

    Application Roles

    Using Windows Domain Policies to Enforce Password Length


    Chapter 4 Securing the Instance

    What to Install, and When?

    SQL Authentication and Windows Authentication

    Password Change Policies

    Auditing Failed Logins

    Renaming the SA Account

    Disabling the SA Account

    Securing Endpoints

    Stored Procedures as a Security Measure

    Minimum Permissions Possible

    Linked Servers

    Using Policies to Secure Your Instance

    SQL Azure Specific Settings

    Instances That Leave the Office


    Chapter 5 Additional Security for an Internet Facing SQL Server and Application


    Extended Stored Procedures

    Protecting Your Connection Strings

    Database Firewalls

    Clear Virtual Memory Pagefile

    User Access Control (UAC)

    Other Domain Policies to Adjust

    Reporting Services


    Chapter 6 SQL Injection Attacks

    What Is an SQL Injection Attack?

    Why Are SQL Injection Attacks So Successful?

    How to Protect Yourself from an SQL Injection Attack

    Cleaning Up the Database After an SQL Injection Attack


    Chapter 7 Database Backup Security

    Overwriting Backups

    Media Set and Backup Set Passwords

    Backup Encryption

    Transparent Data Encryption

    Compression and Encryption

    Offsite Backups


    Chapter 8 Auditing for Security

    Login Auditing

    Data Modification Auditing

    Data Querying Auditing

    Schema Change Auditing

    Using Policy-Based Management to Ensure Policy Compliance

    C2 Auditing

    Common Criteria Compliance


    Chapter 9 Server Rights

    OS Rights Needed by the SQL Server Service

    OS Rights Needed by the DBA

    OS Rights Needed to Install Service Packs

    OS Rights Needed to Access SSIS Remotely

    Console Apps Must Die

    Default Sysadmin Rights

    Vendor’s and the Sysadmin Fixed-Server Role


    Appendix A: External Audit Checklists



advert image