SQL Server is known for its ease-of-use and that characteristic is one reason why more and more businesses are choosing Microsoft's DBMS for large-scale implementations. But the default settings that make SQL Server so easy to set up can leave the doors open, making it an easy target. This learning guide can help you identify those problem areas and secure your SQL Server systems.
|TABLE OF CONTENTS
Learn from past mistakes
SQL Server security best practices
Keep current on updates and patches
Learn from hackers
|Learn from past mistakes||Return to Table of Contents|
The Slammer worm of 2003 provided an apt demonstration of what happens when security vulnerabilities are left unattended. The attack also revealed weaknesses in networks, such as unprotected remote users connecting to company VPNs. But it doesn't take a major Internet worm to reveal weaknesses in your system. Some common mistakes in configuration include leaving the default public permissions as is, not changing the system administrator password to something difficult and allowing too many users too many privileges.
- Article: Manic Monday for SQL Server admins
- Article: Initial SQL worm cleanup simple, patching may not be so easy
- Expert response: Why SQL Server is hacked
- Article: Security issues delay Yukon
- Article: Slammer lessons remain valid a year later
- Tip: Top 10 SQL Server security blunders, part I
- Tip: Top 10 SQL Server security blunders, part II
|SQL Server security best practices||Return to Table of Contents|
In simple terms, securing SQL Server means controlling access to the database and keeping current on all updates and patches. The hard part is implementing the rules and processes to do so. These guidelines can help you formulate a plan.
- Webcast: SQL Server security best practices
- Best Web Link: Overview of SQL Server security model and security best practices
- Tip: The top four ways to secure SQL Server
- Tip: SQL Server user-security checklist
- White paper: Microsoft SQL Server 2000 SP3 security features and best practices
- White paper: Threat Profiling Microsoft SQL Server
- White paper: An enterprise-class plan for securing Microsoft SQL Server databases
- White paper: Securing SQL Server 2000
|Some how-tos||Return to Table of Contents|
Knowing what to do is different from knowing how to do it. Here are a few real-world examples of how to implement secure practices with everyday SQL Server use.
- Tip: Kill the SA password
- Expert response: Locking out accounts with unsuccessful login attempts
- Expert response: Replicating SQL Server over the Internet
- Expert response: Using Audit Trail
- Expert response: Encrypting password fields
- Expert response: Implementing row-level security
- Expert response: Windows versus SQL Server authentication for new data source
- Expert response: Best practices to encrypt passwords in SQL Server 2000
|Keep current on updates and patches||Return to Table of Contents|
Once you've covered your system, your job isn't done. New vulnerabilities will be discovered and will be exploited. Keep up to date on security bulletins and available patches. Microsoft offers these sites to learn about and report vulnerabilities, and download the necessary patches.
- Microsoft security bulletin search
- Report a security vulnerability
- SQL Server 2000 security tools
- SQL Server security center on TechNet
- More security resources from Microsoft
|Learn from hackers||Return to Table of Contents|
Be proactive in your SQL Server security practices. Figure out how to hack your system before someone else does. Here are a few lessons on how hackers hack.
- Tip: How SQL Server is hacked
- Tip: SQL injection: When firewalls offer no protection
- White paper: Manipulating Microsoft SQL Server using SQL injection
- White paper: Introduction to database and application worms
- Webcast: Protecting your database from hack attacks