Securing SQL Server
2nd Edition
Protecting Your Database from Attackers
Description
SQL server is the most widely used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.
In Securing SQL Server, 2e, readers learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book written by Denny Cherry, a Microsoft SQL MVP and one of the biggest names in SQL server today, readers learn how to properly secure a SQL server database from internal and external threats using best practices as well as specific tricks the authors employ in their roles as database administrators for some of the largest SQL server deployments in the world.
"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He's a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn't work, he's speaking from experience. Active in the community, his passion is sharing. You'll enjoy this book."--Buck Woody, Senior Technology Specialist, Microsoft
Key Features
- Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
- Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2012 (Denali)
- Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs
Table of Contents
Acknowledgements
Dedication
Author Biography
About the Technical Editor
Introduction
Chapter 1. Securing the Network
Securing the network
Public IP Addresses versus private IP Addresses
Accessing SQL Server from home
Physical security
Social engineering
Finding the instances
Testing the network security
Summary
References
Chapter 2. Database Encryption
Database encryption
Encrypting data within tables
Encrypting data at rest
Encrypting data on the wire
Encrypting data with MPIO drivers
Encrypting data via HBAs
Summary
REFERENCES
Chapter 3. SQL Password Security
SQL Server Password Security
Strong Passwords
Contained Database Logins in SQL Server 2012
Encrypting client connection strings
Application Roles
Using Windows domain policies to enforce password length
Contained Databases
Summary
References
Chapter 4. Securing the Instance
What to Install, and When?
SQL Authentication and Windows Authentication
Password Change Policies
Auditing Failed Logins
Renaming the SA Account
Disabling the SA Account
Securing Endpoints
Stored Procedures as a Security Measure
Minimum Permissions Possible
Instant File Initialization
Linked Servers
Using Policies to Secure Your Instance
SQL Azure Specific Settings
Instances That Leave the Office
Securing “Always On”
Securing Contained Databases
Summary
Chapter 5. Additional Security for an Internet Facing SQL Server and Application
SQL CLR
Extended stored procedures
Protecting Your Connection Strings
Database Firewalls
Clear virtual memory pagefile
User access control (UAC)
Other domain policies to adjust
Summary
Chapter 6. Analysis Services
Logging into Analysis Services
Securing Analysis Services Objects
Summary
Chapter 7. Reporting Services
Setting up SSRS
Service Account
Web Service URL
Database
Report Manager URL
E-mail Settings
Execution Account
Encryption Keys
Scale-Out Deployment
Logging onto SQL Server Reporting Services for the first time
Security within reporting services
Reporting services authentication options
Report server object rights
Summary
Chapter 8. SQL Injection Attacks
What is an SQL Injection attack?
Why are SQL Injection attacks so successful?
How to protect yourself from an SQL Injection attack
Cleaning up the database after an SQL Injection attack
Other front-end security issues
Using xEvents to monitor for SQL Injection
Summary
Reference
Chapter 9. Database Backup Security
Overwriting backups
Media set and backup set passwords
Backup encryption
Transparent data encryption
Compression and encryption
Encryption and Data Deduplication
Offsite backups
Summary
References
Chapter 10. Storage Area Network Security
Securing the array
Securing the storage switches
Summary
Chapter 11. Auditing for Security
Login auditing
Data modification auditing
Data querying auditing
Schema change auditing
Using policy-based management to ensure policy compliance
C2 auditing
Common Criteria compliance
Summary
REFERENCES
Chapter 12. Server Rights
SQL Server service account configuration
OS rights needed by the SQL Server service
OS rights needed by the DBA
OS rights needed to install service packs
OS rights needed to access SSIS remotely
Console Apps must die
Fixed-server roles
User defined server roles
Fixed database roles
User defined database roles
Default sysadmin rights
Vendor’s and the sysadmin fixed-server role
Summary
Chapter 13. Securing Data
Granting rights
Denying rights
Revokeing rights
Column level permissions
Row level permissions
Summary
Appendix A. External Audit Checklists
Index
Details
- No. of pages:
- 408
- Language:
- English
- Copyright:
- © Syngress 2013
- Published:
- 2nd August 2012
- Imprint:
- Syngress
- eBook ISBN:
- 9781597499521
- Paperback ISBN:
- 9781597499477
About the Author
Denny Cherry
Denny Cherry (MCSA, MCDBA, MCTS, MCITP, MCM) has been working with Microsoft technology for over 15 years starting with Windows 3.51 and SQL Server 6.5. In 2009, Denny was named as a Microsoft MVP for the Microsoft SQL Server product, and in 2011 Denny earned the Microsoft Certified Master certification for SQL Server 2008. Denny has written dozens of articles for a variety of websites as well as print magazines on a variety of subjects including SQL Server, Clustering, Storage Configuration, and SharePoint.
Affiliations and Expertise
(MCSA, MCDBA, MCTS, MCITP, MCM) has been working with Microsoft technology for over 15 years starting with Windows 3.51 and SQL Server 6.5.
Reviews
"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He’s a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn’t work, he’s speaking from experience. Active in the community, his passion is sharing. You’ll enjoy this book." --Buck Woody, Senior Technology Specialist, Microsoft
"Securing SQL Server - Protecting Your Database from Attackers and SQL Injection Attacks and Defense are two new books out on SQL security. The first, Securing SQL Server - Protecting Your Database from Attackers, author Denny Cherry takes a high-level approach to the topic. The book explains how to secure and protect a SQL database from attack. The book details how to configure SQL against both internal and external-based attacks. This updated edition includes new chapters on analysis services, reporting services, and storage area network security. For anyone new to SQL security, Cherry does a great job of explaining what needs to be done in this valuable guide. In and SQL Injection Attacks and Defense, editor Justin Clarke enlists the help of a set of experts on how to deal with SQL injection attacks. Since SQL is so ubiquitous on corporate networks, with sites often running hundreds of SQL servers; SQL is prone to attacks. SQL injection is a technique often used to attack databases through a website and is often done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. SQL injection is a code injection technique that exploits security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. With that, the need to defend servers against such attacks is an imperative and SQL Injection Attacks and Defense should be required reading for anyone tasks with securing SQL servers." --RSA Conference