Securing SQL Server

SQL server is the most widely used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.

In Securing SQL Server, 2e, readers learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book written by Denny Cherry, a Microsoft SQL MVP and one of the biggest names in SQL server today, readers learn how to properly secure a SQL server database from internal and external threats using best practices as well as specific tricks the authors employ in their roles as database administrators for some of the largest SQL server deployments in the world.

"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He's a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn't work, he's speaking from experience. Active in the community, his passion is sharing. You'll enjoy this book."--Buck Woody, Senior Technology Specialist, Microsoft

• Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
• Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2012 (Denali)
• Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs

Acknowledgements

Dedication

Author Biography

About the Technical Editor

Introduction

Chapter 1. Securing the Network

Securing the network

Public IP Addresses versus private IP Addresses

Accessing SQL Server from home

Physical security

Social engineering

Finding the instances

Testing the network security

Summary

References

Chapter 2. Database Encryption

Database encryption

Encrypting data within tables

Encrypting data at rest

Encrypting data on the wire

Encrypting data with MPIO drivers

Encrypting data via HBAs

Summary

REFERENCES

Chapter 3. SQL Password Security

SQL Server Password Security

Strong Passwords

Contained Database Logins in SQL Server 2012

Encrypting client connection strings

Application Roles

Using Windows domain policies to enforce password length

Contained Databases

Summary

References

Chapter 4. Securing the Instance

What to Install, and When?

SQL Authentication and Windows Authentication

Password Change Policies

Auditing Failed Logins

Renaming the SA Account

Disabling the SA Account

Securing Endpoints

Stored Procedures as a Security Measure

Minimum Permissions Possible

Instant File Initialization

Linked Servers

Using Policies to Secure Your Instance

SQL Azure Specific Settings

Instances That Leave the Office

Securing “Always On”

Securing Contained Databases

Summary

Chapter 5. Additional Security for an Internet Facing SQL Server and Application

SQL CLR

Extended stored procedures

Protecting Your Connection Strings

Database Firewalls

Clear virtual memory pagefile

User access control (UAC)

Other domain policies to adjust

Summary

Chapter 6. Analysis Services

Logging into Analysis Services

Securing Analysis Services Objects

Summary

Chapter 7. Reporting Services

Setting up SSRS

Service Account

Web Service URL

Database

Report Manager URL

E-mail Settings

Execution Account

Encryption Keys

Scale-Out Deployment

Logging onto SQL Server Reporting Services for the first time

Security within reporting services

Reporting services authentication options

Report server object rights

Summary

Chapter 8. SQL Injection Attacks

What is an SQL Injection attack?

Why are SQL Injection attacks so successful?

How to protect yourself from an SQL Injection attack

Cleaning up the database after an SQL Injection attack

Other front-end security issues

Using xEvents to monitor for SQL Injection

Summary

Reference

Chapter 9. Database Backup Security

Overwriting backups

Media set and backup set passwords

Backup encryption

Transparent data encryption

Compression and encryption

Encryption and Data Deduplication

Offsite backups

Summary

References

Chapter 10. Storage Area Network Security

Securing the array

Securing the storage switches

Summary

Chapter 11. Auditing for Security

Login auditing

Data modification auditing

Data querying auditing

Schema change auditing

Using policy-based management to ensure policy compliance

C2 auditing

Common Criteria compliance

Summary

REFERENCES

Chapter 12. Server Rights

SQL Server service account configuration

OS rights needed by the SQL Server service

OS rights needed by the DBA

OS rights needed to install service packs

OS rights needed to access SSIS remotely

Console Apps must die

Fixed-server roles

User defined server roles

Fixed database roles

User defined database roles

Default sysadmin rights

Vendor’s and the sysadmin fixed-server role

Summary

Chapter 13. Securing Data

Granting rights

Denying rights

Revokeing rights

Column level permissions

Row level permissions

Summary

Appendix A. External Audit Checklists

Index