You are previewing Securing SQL Server, 3rd Edition.
O'Reilly logo
Securing SQL Server, 3rd Edition

Book Description

SQL server is the most widely-used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.

In Securing SQL Server, Third Edition, you will learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book, Denny Cherry - a Microsoft SQL MVP and one of the biggest names in SQL server - will teach you how to properly secure an SQL server database from internal and external threats using best practices as well as specific tricks that the author employs in his role as a consultant for some of the largest SQL server deployments in the world.

Fully updated to cover the latest technology in SQL Server 2014, this new edition walks you through how to secure new features of the 2014 release. New topics in the book include vLANs, setting up RRAS, anti-virus installs, key management, moving from plaintext to encrypted values in an existing application, securing Analysis Services Objects, Managed Service Accounts, OS rights needed by the DBA, SQL Agent Security, Table Permissions, Views, Stored Procedures, Functions, Service Broker Objects, and much more.



  • Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
  • Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2014.
  • Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs.

Table of Contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Author Biography
  7. Technical Editor Biography
  8. Acknowledgments
  9. Introduction
  10. Chapter 1: Identifying Security Requirements
    1. Abstract
    2. What are Security Objectives?
    3. When Should Security Objectives been Identified?
    4. How to Identify Security Objectives?
  11. Chapter 2: Securing the Network
    1. Abstract
    2. Securing the Network
    3. Public IP Addresses versus Private IP Addresses
    4. vLANs
    5. Accessing SQL Server from Home
    6. Physical Security
    7. Social Engineering
    8. Finding the Instances
    9. Testing the Network Security
    10. Antivirus Installation on SQL Servers
    11. Summary
  12. Chapter 3: Key Management
    1. Abstract
    2. Service Master Key
    3. Database Master Key
    4. Encryption Password Management
    5. Enterprise Key Management
    6. High Availability and Disaster Recovery for Key Management
    7. Conclusions
  13. Chapter 4: Database Encryption
    1. Abstract
    2. Database Encryption
    3. Encrypting Data within Tables
    4. Encrypting Data at Rest
    5. Encrypting Data on the Wire
    6. Encrypting Data with MPIO Drivers
    7. Encrypting Data via HBAs
    8. Summary
  14. Chapter 5: SQL Password Security
    1. Abstract
    2. Login Types
    3. SQL Server Password Security
    4. Strong Passwords
    5. Password Change Policies
    6. Renaming the SA Account
    7. Disabling the SA Account
    8. Users versus Logins
    9. Contained Database Users in SQL Server 2012 and Beyond
    10. Schemas
    11. Encrypting Client Connection Strings
    12. Application Roles
    13. Using Windows Domain Policies to Enforce Password Length
    14. Contained Users
    15. Summary
  15. Chapter 6: Securing the Instance
    1. Abstract
    2. What to Install, and When?
    3. SQL Authentication and Windows Authentication
    4. Password Change Policies
    5. Auditing Failed Logins
    6. Renaming the SA Account
    7. Disabling the SA Account
    8. Securing Endpoints
    9. Stored Procedures as a Security Measure
    10. Minimum Permissions Possible
    11. Instant File Initialization
    12. Linked Servers
    13. Using Policies to Secure Your Instance
    14. SQL Azure Specific Settings
    15. Instances that Leave the Office
    16. Securing AlwaysOn Availability Groups
    17. Securing Contained Databases
    18. SQL CLR
    19. Extended Stored Procedures
    20. Protecting Your Connection Strings
    21. Database Firewalls
    22. Clear Virtual Memory Pagefile
    23. User Access Control (UAC)
    24. Other Domain Policies to Adjust
    25. Summary
  16. Chapter 7: Analysis Services
    1. Abstract
    2. Logging into Analysis Services
    3. Securing Analysis Services Objects
    4. Summary
  17. Chapter 8: Reporting Services
    1. Abstract
    2. Setting up SSRS
    3. Security within Reporting Services
    4. Reporting Services Authentication Options
    5. Report Server Object Rights
    6. Summary
  18. Chapter 9: SQL Injection Attacks
    1. Abstract
    2. What is an SQL Injection Attack?
    3. Why are SQL Injection Attacks so Successful?
    4. How to Figure out you have been Attacked
    5. How to Protect Yourself from an SQL Injection Attack
    6. Cleaning up the Database after a SQL Injection Attack
    7. Other Front end Security Issues
    8. Using xEvents to Monitor for SQL Injection
    9. Summary
  19. Chapter 10: Database Backup Security
    1. Abstract
    2. Overwriting Backups
    3. Media set and Backup set Passwords
    4. Backup Encryption
    5. Transparent Data Encryption
    6. Compression and Encryption
    7. Offsite Backups
    8. Summary
  20. Chapter 11: Storage Area Network Security
    1. Abstract
    2. Securing the Array
    3. Securing the Storage Switches
    4. Summary
  21. Chapter 12: Auditing for Security
    1. Abstract
    2. Login Auditing
    3. Data Modification Auditing
    4. Data Querying Auditing
    5. Schema Change Auditing
    6. Using Policy-based Management to Ensure Policy Compliance
    7. C2 Auditing
    8. Common Criteria Compliance
    9. Summary
  22. Chapter 13: Server Rights
    1. Abstract
    2. SQL Server Service Account Configuration
    3. OS Rights Needed by the SQL Server Service
    4. OS Rights Needed by the DBA
    5. OS Rights Needed to Install Service Packs
    6. OS Rights Needed to Access SSIS Remotely
    7. Console Apps Must Die
    8. Fixed Server Roles
    9. User Defined Server Roles
    10. Fixed Database Roles
    11. User-defined Database Roles
    12. Default Sysadmin Rights
    13. Vendor’s and the Sysadmin Fixed Server Role
    14. Summary
  23. Chapter 14: SQL Server Agent Security
    1. Abstract
    2. Proxies
    3. SQL Agent Job Steps
    4. Granting Rights to Proxies
    5. Job Ownership
    6. Summary
  24. Chapter 15: Securing Data
    1. Abstract
    2. GRANTing Rights
    3. DENYing Rights
    4. REVOKEing Rights
    5. Table and view Permissions
    6. Stored Procedure Permissions
    7. Signing Stored Procedures, Functions and Triggers
    8. Function Permissions
    9. Service Broker Objects
    10. Separation of Duties
    11. Summary
  25. Appendix A: External Audit Checklists
  26. Subject Index