Securing SQL Server

Author: Peter Carter
Publisher: Apress
Pages:366
ISBN: 978-1484241608
Print: 1484241606
Kindle: B07KLW99YM
Audience: DBAs
Rating: 5
Reviewer: Kay Ewbank

As a developer, you're probably well versed in how to write a secure app that won't be vulnerable to attack, but the database component is a whole different ballgame.

There have been enough high profile attacks using techniques such as SQL injection that show the importance of keeping your database server secure. This book aims to show how to keep SQL Server secure. The main audience for the text might be database administrators, but the advice on offer is useful for database developers too.

 

Banner

The book opens with a section on how to model threats so that risks can be identified and understood, with a section on compliance covering SOX (Sarbanne Oxley) and GDPR. The author then moves on to the SQL Server security model, looking at instance and database level security. This is followed by a chapter on SQL Server Audit, a tool that gives information about activity at both instance and database level. This can be used to implement passive security - logging user activity to avoid the threat of non-repudiation. In other words, if the attack comes from within the organization, you can show who did it and discipline them.

 

 

The next chapter covers data level security, looking at the use of schemas, ownership chaining, impersonation, row-level security and dynamic data masking. Encryption in SQL Server gets a chapter to itself, followed by a look at security metadata and how to view it using T-SQL.

There's a chapter on implementing service accounts for security. All SQL Server services need to be configured with a service account to run it, and this is one area where you want the minimum permissions granted so the service can still run but not open up too many options for attackers. Next comes a useful chapter on protecting credentials covering options such as auditing passwords to make sure they're not susceptible to attack, and protecting Windows accounts. This part of the book ends with another good chapter on reducing the attack surface, looking at ports and protocols, and what features should be disabled.

The third part of the book covers threats and countermeasures. Each chapter in this section looks at a specific type of attack and the ways you can guard against it. There are chapters on SQL injection, instance hijacking, database backup theft, code injection and whole value substitution attacks.

If you write programs that interact with SQL Server, this is a book you ought to read. It explains the subject well, and the chapters on the individual attack types make for useful (if worrying) reading. 

Highly recommended.

 

Reviews of other books by Peter Carter

SQL Server Advanced Data Types 

SQL Server AlwaysOn Revealed 

Pro SQL Server Administration - there is a new version of this book see Pro SQL Server 2019 Administration, 2nd Ed (Apress)  

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


The AWK Programming Language, 2nd Ed

Author: Alfred V. Aho, Brian W. Kernighan and Peter J. Weinberger
Publisher: Addison-Wesley
Pages: 240
ISBN: 978-0138269722
Print: 0138269726
Kindle: B0CCJ1N4X3
Audience: Developers interested in Awk
Rating: 5
Reviewer: Kay Ewbank

The name Brian Kernighan among the authors of this updated classic raises  [ ... ]



Modern Software Engineering (Addison-Wesley)

Author: David Farley
Pages: 256
ISBN: 978-0137314911
Print:0137314914
Kindle: B09GG6XKS4
Audience: Software Engineers
Rating: 3.5
Reviewer: Kay Ewbank

This book is subtitled 'doing what works to build better software faster' - does it teach you how to achieve that?


More Reviews