Securing SQL Server

Author: Peter Carter
Publisher: Apress
Pages:366
ISBN: 978-1484241608
Print: 1484241606
Kindle: B07KLW99YM
Audience: DBAs
Rating: 5
Reviewer: Kay Ewbank

As a developer, you're probably well versed in how to write a secure app that won't be vulnerable to attack, but the database component is a whole different ballgame.

There have been enough high profile attacks using techniques such as SQL injection that show the importance of keeping your database server secure. This book aims to show how to keep SQL Server secure. The main audience for the text might be database administrators, but the advice on offer is useful for database developers too.

 

Banner

The book opens with a section on how to model threats so that risks can be identified and understood, with a section on compliance covering SOX (Sarbanne Oxley) and GDPR. The author then moves on to the SQL Server security model, looking at instance and database level security. This is followed by a chapter on SQL Server Audit, a tool that gives information about activity at both instance and database level. This can be used to implement passive security - logging user activity to avoid the threat of non-repudiation. In other words, if the attack comes from within the organization, you can show who did it and discipline them.

 

 

The next chapter covers data level security, looking at the use of schemas, ownership chaining, impersonation, row-level security and dynamic data masking. Encryption in SQL Server gets a chapter to itself, followed by a look at security metadata and how to view it using T-SQL.

There's a chapter on implementing service accounts for security. All SQL Server services need to be configured with a service account to run it, and this is one area where you want the minimum permissions granted so the service can still run but not open up too many options for attackers. Next comes a useful chapter on protecting credentials covering options such as auditing passwords to make sure they're not susceptible to attack, and protecting Windows accounts. This part of the book ends with another good chapter on reducing the attack surface, looking at ports and protocols, and what features should be disabled.

The third part of the book covers threats and countermeasures. Each chapter in this section looks at a specific type of attack and the ways you can guard against it. There are chapters on SQL injection, instance hijacking, database backup theft, code injection and whole value substitution attacks.

If you write programs that interact with SQL Server, this is a book you ought to read. It explains the subject well, and the chapters on the individual attack types make for useful (if worrying) reading. 

Highly recommended.

 

Reviews of other books by Peter Carter

SQL Server Advanced Data Types 

SQL Server AlwaysOn Revealed 

Pro SQL Server Administration - there is a new version of this book see Pro SQL Server 2019 Administration, 2nd Ed (Apress)  

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Supercharged Python

Author: Brian Overland and John Bennett
Publisher: Addison-Wesley
Date: July 2019
Pages: 672
ISBN: 978-0135159941
Print: 0135159946
Kindle: B07T93J28B
Audience: Python developers
Rating: 3
Reviewer: Mike James
This book's challenge on its front cover is "Take Your Code to the Next Level". Is this the boo [ ... ]



Mission Python

Author: Sean McManus
Publisher: No Starch Press
Pages: 280
ISBN: 978-1593278571
Print: 1593278578
Kindle:  B072STNXT8
Audience: Young, next generation Pythonistas
Rating: 4
Reviewer:Mike James
Code an adventure game in Python  - a good way to learn?


More Reviews