You are previewing Securing SQL Server, 2nd Edition.
O'Reilly logo
Securing SQL Server, 2nd Edition

Book Description

SQL server is the most widely used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.

In Securing SQL Server, 2e, readers learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book written by Denny Cherry, a Microsoft SQL MVP and one of the biggest names in SQL server today, readers learn how to properly secure a SQL server database from internal and external threats using best practices as well as specific tricks the authors employ in their roles as database administrators for some of the largest SQL server deployments in the world.

"Denny Cherry is what would happen if Bill Gates and AC/DC got together to create a sibling. He's a bare-knuckles, no holds-barred technologist, and you can bet that if he tells you that something does or doesn't work, he's speaking from experience. Active in the community, his passion is sharing. You'll enjoy this book."--Buck Woody, Senior Technology Specialist, Microsoft

      • Presents hands-on techniques for protecting your SQL Server database from intrusion and attack.
      • Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2012 (Denali).
      • Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs.

    Table of Contents

    1. Cover image
    2. Title page
    3. Table of Contents
    4. Copyright
    5. Acknowledgements
    6. Dedication
    7. Author Biography
    8. About the Technical Editor
    9. Introduction
    10. Chapter 1. Securing the Network
      1. Securing the network
      2. Public IP Addresses versus private IP Addresses
      3. Accessing SQL Server from home
      4. Physical security
      5. Social engineering
      6. Finding the instances
      7. Testing the network security
      8. Summary
      9. References
    11. Chapter 2. Database Encryption
      1. Database encryption
      2. Encrypting data within tables
      3. Encrypting data at rest
      4. Encrypting data on the wire
      5. Encrypting data with MPIO drivers
      6. Encrypting data via HBAs
      7. Summary
    12. Chapter 3. SQL Password Security
      1. SQL Server Password Security
      2. Strong Passwords
      3. Contained Database Logins in SQL Server 2012
      4. Encrypting client connection strings
      5. Application Roles
      6. Using Windows domain policies to enforce password length
      7. Contained Databases
      8. Summary
      9. References
    13. Chapter 4. Securing the Instance
      1. What to Install, and When?
      2. SQL Authentication and Windows Authentication
      3. Password Change Policies
      4. Auditing Failed Logins
      5. Renaming the SA Account
      6. Disabling the SA Account
      7. Securing Endpoints
      8. Stored Procedures as a Security Measure
      9. Minimum Permissions Possible
      10. Instant File Initialization
      11. Linked Servers
      12. Using Policies to Secure Your Instance
      13. SQL Azure Specific Settings
      14. Instances That Leave the Office
      15. Securing “Always On”
      16. Securing Contained Databases
      17. Summary
    14. Chapter 5. Additional Security for an Internet Facing SQL Server and Application
      1. SQL CLR
      2. Extended stored procedures
      3. Protecting Your Connection Strings
      4. Database Firewalls
      5. Clear virtual memory pagefile
      6. User access control (UAC)
      7. Other domain policies to adjust
      8. Summary
    15. Chapter 6. Analysis Services
      1. Logging into Analysis Services
      2. Securing Analysis Services Objects
      3. Summary
    16. Chapter 7. Reporting Services
      1. Setting up SSRS
      2. Service Account
      3. Web Service URL
      4. Database
      5. Report Manager URL
      6. E-mail Settings
      7. Execution Account
      8. Encryption Keys
      9. Scale-Out Deployment
      10. Logging onto SQL Server Reporting Services for the first time
      11. Security within reporting services
      12. Reporting services authentication options
      13. Report server object rights
      14. Summary
    17. Chapter 8. SQL Injection Attacks
      1. What is an SQL Injection attack?
      2. Why are SQL Injection attacks so successful?
      3. How to protect yourself from an SQL Injection attack
      4. Cleaning up the database after an SQL Injection attack
      5. Other front-end security issues
      6. Using xEvents to monitor for SQL Injection
      7. Summary
      8. Reference
    18. Chapter 9. Database Backup Security
      1. Overwriting backups
      2. Media set and backup set passwords
      3. Backup encryption
      4. Transparent data encryption
      5. Compression and encryption
      6. Encryption and Data Deduplication
      7. Offsite backups
      8. Summary
      9. References
    19. Chapter 10. Storage Area Network Security
      1. Securing the array
      2. Securing the storage switches
      3. Summary
    20. Chapter 11. Auditing for Security
      1. Login auditing
      2. Data modification auditing
      3. Data querying auditing
      4. Schema change auditing
      5. Using policy-based management to ensure policy compliance
      6. C2 auditing
      7. Common Criteria compliance
      8. Summary
    21. Chapter 12. Server Rights
      1. SQL Server service account configuration
      2. OS rights needed by the SQL Server service
      3. OS rights needed by the DBA
      4. OS rights needed to install service packs
      5. OS rights needed to access SSIS remotely
      6. Console Apps must die
      7. Fixed-server roles
      8. User defined server roles
      9. Fixed database roles
      10. User defined database roles
      11. Default sysadmin rights
      12. Vendor’s and the sysadmin fixed-server role
      13. Summary
    22. Chapter 13. Securing Data
      1. Granting rights
      2. Denying rights
      3. Revokeing rights
      4. Column level permissions
      5. Row level permissions
      6. Summary
    23. Appendix A. External Audit Checklists
    24. Index