Securing SQL Server

Author: Peter Carter
Publisher: Apress
Pages:366
ISBN: 978-1484241608
Print: 1484241606
Kindle: B07KLW99YM
Audience: DBAs
Rating: 5
Reviewer: Kay Ewbank

As a developer, you're probably well versed in how to write a secure app that won't be vulnerable to attack, but the database component is a whole different ballgame.

There have been enough high profile attacks using techniques such as SQL injection that show the importance of keeping your database server secure. This book aims to show how to keep SQL Server secure. The main audience for the text might be database administrators, but the advice on offer is useful for database developers too.

 

Banner

The book opens with a section on how to model threats so that risks can be identified and understood, with a section on compliance covering SOX (Sarbanne Oxley) and GDPR. The author then moves on to the SQL Server security model, looking at instance and database level security. This is followed by a chapter on SQL Server Audit, a tool that gives information about activity at both instance and database level. This can be used to implement passive security - logging user activity to avoid the threat of non-repudiation. In other words, if the attack comes from within the organization, you can show who did it and discipline them.

 

 

The next chapter covers data level security, looking at the use of schemas, ownership chaining, impersonation, row-level security and dynamic data masking. Encryption in SQL Server gets a chapter to itself, followed by a look at security metadata and how to view it using T-SQL.

There's a chapter on implementing service accounts for security. All SQL Server services need to be configured with a service account to run it, and this is one area where you want the minimum permissions granted so the service can still run but not open up too many options for attackers. Next comes a useful chapter on protecting credentials covering options such as auditing passwords to make sure they're not susceptible to attack, and protecting Windows accounts. This part of the book ends with another good chapter on reducing the attack surface, looking at ports and protocols, and what features should be disabled.

The third part of the book covers threats and countermeasures. Each chapter in this section looks at a specific type of attack and the ways you can guard against it. There are chapters on SQL injection, instance hijacking, database backup theft, code injection and whole value substitution attacks.

If you write programs that interact with SQL Server, this is a book you ought to read. It explains the subject well, and the chapters on the individual attack types make for useful (if worrying) reading. 

Highly recommended.

 

Reviews of other books by Peter Carter

SQL Server Advanced Data Types 

SQL Server AlwaysOn Revealed 

Pro SQL Server Administration - there is a new version of this book see Pro SQL Server 2019 Administration, 2nd Ed (Apress)  

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


C# Programming, 3rd Ed (In Easy Steps)

Author: Mike McGrath
Publisher: Easy Steps
Date: April 2022
Pages: 192
ISBN: 978-1840789737
Print: 1840789735
Kindle: B09WPBZZCV
Audience: C# developers
Rating: 5
Reviewer: Mike James
An easy guide to C# - what could be better.



The C# Workshop (Packt)

Author: Jason Hales, Almantas Karpavicius and Mateus Viegas
Publisher: Packt
Date: September 2022
Pages: 780
ISBN: 978-1800566491
Print: 1800566492
Kindle: ‎ B0BGRBDJLS
Audience: C# developers
Rating:  4
Reviewer: Mike James
C# is not the language it once was - time for a revival?


More Reviews