Securing SQL Server - 2nd Edition - ISBN: 9781597499477, 9781597499521

Securing SQL Server

2nd Edition

Protecting Your Database from Attackers

Authors: Denny Cherry
eBook ISBN: 9781597499521
Paperback ISBN: 9781597499477
Imprint: Syngress
Published Date: 2nd August 2012
Page Count: 408
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST
× DRM-Free

Easy - Download and start reading immediately. There’s no activation process to access eBooks; all eBooks are fully searchable, and enabled for copying, pasting, and printing.

Flexible - Read on multiple operating systems and devices. Easily read eBooks on smart phones, computers, or any eBook readers, including Kindle.

Open - Buy once, receive and download all available eBook formats, including PDF, EPUB, and Mobi (for Kindle).

Institutional Access

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


SQL server is the most widely used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.

In Securing SQL Server, 2e, readers learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book written by Denny Cherry, a Microsoft SQL MVP and one of the biggest names in SQL server today, readers learn how to properly secure a SQL server database from internal and external threats using best practices as well as specific tricks the authors employ in their roles as database administrators for some of the largest SQL server deployments in the world.

"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He's a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn't work, he's speaking from experience. Active in the community, his passion is sharing. You'll enjoy this book."--Buck Woody, Senior Technology Specialist, Microsoft

Key Features

  • Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
  • Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2012 (Denali)
  • Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs

Table of Contents



Author Biography

About the Technical Editor


Chapter 1. Securing the Network

Securing the network

Public IP Addresses versus private IP Addresses

Accessing SQL Server from home

Physical security

Social engineering

Finding the instances

Testing the network security



Chapter 2. Database Encryption

Database encryption

Encrypting data within tables

Encrypting data at rest

Encrypting data on the wire

Encrypting data with MPIO drivers

Encrypting data via HBAs



Chapter 3. SQL Password Security

SQL Server Password Security

Strong Passwords

Contained Database Logins in SQL Server 2012

Encrypting client connection strings

Application Roles

Using Windows domain policies to enforce password length

Contained Databases



Chapter 4. Securing the Instance

What to Install, and When?

SQL Authentication and Windows Authentication

Password Change Policies

Auditing Failed Logins

Renaming the SA Account

Disabling the SA Account

Securing Endpoints

Stored Procedures as a Security Measure

Minimum Permissions Possible

Instant File Initialization

Linked Servers

Using Policies to Secure Your Instance

SQL Azure Specific Settings

Instances That Leave the Office

Securing “Always On”

Securing Contained Databases


Chapter 5. Additional Security for an Internet Facing SQL Server and Application


Extended stored procedures

Protecting Your Connection Strings

Database Firewalls

Clear virtual memory pagefile

User access control (UAC)

Other domain policies to adjust


Chapter 6. Analysis Services

Logging into Analysis Services

Securing Analysis Services Objects


Chapter 7. Reporting Services

Setting up SSRS

Service Account

Web Service URL


Report Manager URL

E-mail Settings

Execution Account

Encryption Keys

Scale-Out Deployment

Logging onto SQL Server Reporting Services for the first time

Security within reporting services

Reporting services authentication options

Report server object rights


Chapter 8. SQL Injection Attacks

What is an SQL Injection attack?

Why are SQL Injection attacks so successful?

How to protect yourself from an SQL Injection attack

Cleaning up the database after an SQL Injection attack

Other front-end security issues

Using xEvents to monitor for SQL Injection



Chapter 9. Database Backup Security

Overwriting backups

Media set and backup set passwords

Backup encryption

Transparent data encryption

Compression and encryption

Encryption and Data Deduplication

Offsite backups



Chapter 10. Storage Area Network Security

Securing the array

Securing the storage switches


Chapter 11. Auditing for Security

Login auditing

Data modification auditing

Data querying auditing

Schema change auditing

Using policy-based management to ensure policy compliance

C2 auditing

Common Criteria compliance



Chapter 12. Server Rights

SQL Server service account configuration

OS rights needed by the SQL Server service

OS rights needed by the DBA

OS rights needed to install service packs

OS rights needed to access SSIS remotely

Console Apps must die

Fixed-server roles

User defined server roles

Fixed database roles

User defined database roles

Default sysadmin rights

Vendor’s and the sysadmin fixed-server role


Chapter 13. Securing Data

Granting rights

Denying rights

Revokeing rights

Column level permissions

Row level permissions


Appendix A. External Audit Checklists



No. of pages:
© Syngress 2013
eBook ISBN:
Paperback ISBN:

About the Author

Denny Cherry

Denny Cherry (MCSA, MCDBA, MCTS, MCITP, MCM) has been working with Microsoft technology for over 15 years starting with Windows 3.51 and SQL Server 6.5. In 2009, Denny was named as a Microsoft MVP for the Microsoft SQL Server product, and in 2011 Denny earned the Microsoft Certified Master certification for SQL Server 2008. Denny has written dozens of articles for a variety of websites as well as print magazines on a variety of subjects including SQL Server, Clustering, Storage Configuration, and SharePoint.

Affiliations and Expertise

(MCSA, MCDBA, MCTS, MCITP, MCM) has been working with Microsoft technology for over 15 years starting with Windows 3.51 and SQL Server 6.5.


"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He’s a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn’t work, he’s speaking from experience. Active in the community, his passion is sharing. You’ll enjoy this book." --Buck Woody, Senior Technology Specialist, Microsoft

"Securing SQL Server - Protecting Your Database from Attackers and SQL Injection Attacks and Defense are two new books out on SQL security. The first, Securing SQL Server - Protecting Your Database from Attackers, author Denny Cherry takes a high-level approach to the topic. The book explains how to secure and protect a SQL database from attack. The book details how to configure SQL against both internal and external-based attacks. This updated edition includes new chapters on analysis services, reporting services, and storage area network security. For anyone new to SQL security, Cherry does a great job of explaining what needs to be done in this valuable guide. In and SQL Injection Attacks and Defense, editor Justin Clarke enlists the help of a set of experts on how to deal with SQL injection attacks. Since SQL is so ubiquitous on corporate networks, with sites often running hundreds of SQL servers; SQL is prone to attacks. SQL injection is a technique often used to attack databases through a website and is often done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. SQL injection is a code injection technique that exploits security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. With that, the need to defend servers against such attacks is an imperative and SQL Injection A

Ratings and Reviews