Securing SQL Server

Author: Peter Carter
Publisher: Apress
Pages:366
ISBN: 978-1484241608
Print: 1484241606
Kindle: B07KLW99YM
Audience: DBAs
Rating: 5
Reviewer: Kay Ewbank

As a developer, you're probably well versed in how to write a secure app that won't be vulnerable to attack, but the database component is a whole different ballgame.

There have been enough high profile attacks using techniques such as SQL injection that show the importance of keeping your database server secure. This book aims to show how to keep SQL Server secure. The main audience for the text might be database administrators, but the advice on offer is useful for database developers too.

 

Banner

The book opens with a section on how to model threats so that risks can be identified and understood, with a section on compliance covering SOX (Sarbanne Oxley) and GDPR. The author then moves on to the SQL Server security model, looking at instance and database level security. This is followed by a chapter on SQL Server Audit, a tool that gives information about activity at both instance and database level. This can be used to implement passive security - logging user activity to avoid the threat of non-repudiation. In other words, if the attack comes from within the organization, you can show who did it and discipline them.

 

 

The next chapter covers data level security, looking at the use of schemas, ownership chaining, impersonation, row-level security and dynamic data masking. Encryption in SQL Server gets a chapter to itself, followed by a look at security metadata and how to view it using T-SQL.

There's a chapter on implementing service accounts for security. All SQL Server services need to be configured with a service account to run it, and this is one area where you want the minimum permissions granted so the service can still run but not open up too many options for attackers. Next comes a useful chapter on protecting credentials covering options such as auditing passwords to make sure they're not susceptible to attack, and protecting Windows accounts. This part of the book ends with another good chapter on reducing the attack surface, looking at ports and protocols, and what features should be disabled.

The third part of the book covers threats and countermeasures. Each chapter in this section looks at a specific type of attack and the ways you can guard against it. There are chapters on SQL injection, instance hijacking, database backup theft, code injection and whole value substitution attacks.

If you write programs that interact with SQL Server, this is a book you ought to read. It explains the subject well, and the chapters on the individual attack types make for useful (if worrying) reading. 

Highly recommended.

 

Reviews of other books by Peter Carter

SQL Server Advanced Data Types 

SQL Server AlwaysOn Revealed 

Pro SQL Server Administration - there is a new version of this book see Pro SQL Server 2019 Administration, 2nd Ed (Apress)  

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Risk-First Software Development: The Menagerie

Author: Rob Moffat
Publisher: CreateSpace
Pages: 248
ISBN: 978-1717491855
Print: 1717491855
Kindle: B07MK9LTHN
Audience: Those working on software projects at intermediate level
Rating: 4
Reviewer: Nikos Vaggalis

This first volume of the Risk-First series, looks at managing software project [ ... ]



Cracking Codes with Python

Author: Al Sweigart
Publisher: No Starch Press
Date: Jan 2018
Pages: 416
ISBN: 978-1593278229
Print: 1593278225
Kindle: B0713P1Q8X
Audience: Would-be Python programmers
Rating: 4
Reviewer: Mike James
Cracking codes in Python - exciting!


More Reviews