Securing SQL Server

Author: Peter Carter
Publisher: Apress
Pages:366
ISBN: 978-1484241608
Print: 1484241606
Kindle: B07KLW99YM
Audience: DBAs
Rating: 5
Reviewer: Kay Ewbank

As a developer, you're probably well versed in how to write a secure app that won't be vulnerable to attack, but the database component is a whole different ballgame.

There have been enough high profile attacks using techniques such as SQL injection that show the importance of keeping your database server secure. This book aims to show how to keep SQL Server secure. The main audience for the text might be database administrators, but the advice on offer is useful for database developers too.

 

Banner

The book opens with a section on how to model threats so that risks can be identified and understood, with a section on compliance covering SOX (Sarbanne Oxley) and GDPR. The author then moves on to the SQL Server security model, looking at instance and database level security. This is followed by a chapter on SQL Server Audit, a tool that gives information about activity at both instance and database level. This can be used to implement passive security - logging user activity to avoid the threat of non-repudiation. In other words, if the attack comes from within the organization, you can show who did it and discipline them.

 

 

The next chapter covers data level security, looking at the use of schemas, ownership chaining, impersonation, row-level security and dynamic data masking. Encryption in SQL Server gets a chapter to itself, followed by a look at security metadata and how to view it using T-SQL.

There's a chapter on implementing service accounts for security. All SQL Server services need to be configured with a service account to run it, and this is one area where you want the minimum permissions granted so the service can still run but not open up too many options for attackers. Next comes a useful chapter on protecting credentials covering options such as auditing passwords to make sure they're not susceptible to attack, and protecting Windows accounts. This part of the book ends with another good chapter on reducing the attack surface, looking at ports and protocols, and what features should be disabled.

The third part of the book covers threats and countermeasures. Each chapter in this section looks at a specific type of attack and the ways you can guard against it. There are chapters on SQL injection, instance hijacking, database backup theft, code injection and whole value substitution attacks.

If you write programs that interact with SQL Server, this is a book you ought to read. It explains the subject well, and the chapters on the individual attack types make for useful (if worrying) reading. 

Highly recommended.

 

Reviews of other books by Peter Carter

SQL Server Advanced Data Types 

SQL Server AlwaysOn Revealed 

Pro SQL Server Administration - there is a new version of this book see Pro SQL Server 2019 Administration, 2nd Ed (Apress)  

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Classic Computer Science Problems in Python

Author: David Kopec
Publisher: Manning
Date: March 2019
Pages: 224
ISBN: 978-1617295980
Print: 1617295981
Kindle: ‎ ‎ B09782BT4Q
Level: Intermediate
Audience: Python developers
Category: Python
Rating: 4
Reviewer: Mike James
Classic algorithms in Python - the world's favourite language.



Reliable Source: Lessons from a Life in Software Engineering

Author: James Bonang
Date: January 2022
Pages: 608
Kindle: B09QCBVJ9V
Audience: General interest
Rating: 5
Reviewer: Kay Ewbank

This book combines a fun read with interesting insights into how to write reliable programs.


More Reviews