Basic SQL Server security resources

Keeping SQL Server secure is not a simple matter of applying hotfixes. The self-education required to keep SQL Server safe is far reaching, covering a number of different topics. This collection of quick resources will help you understand the scope and dimension of SQL Server security problems that you must be ready for.

Microsoft security

Microsoft's own site conglomerates quite a bit of basic SQL Server security information in one place. Obviously this advice is coming from an MS-centric perspective, which suggests that to get secure is to upgrade to SQL Server 2005, which ships by default in a heavily locked-down configuration. If this isn't practical, it does provide advice for how to keep earlier versions secure.

SQL Security is a great third-party "one-stop-shop" for generic security advice as well, with details about best practices and auditing tools.

Malware applications

SQL-specific malware, like the Slammer worm, are crafted to exploit buffer overflows in SQL Server and allow someone else's code to run (with predictably bad consequences). Net-security.org maintains a list of all SQL worms currently in the wild, along with fixes and detailed briefings about how they work.

Passwords and user accounts

Passwords and accounts must be set up and handled with care to prevent

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks SQL Server Management A first look at Microsoft SQL Server 2008 R2 Maintaining high availability of SQL Server virtual machines Creating fault-tolerant SQL Server installations Using Microsoft Hyper-V for SQL Server consolidation Scaling up vs. scaling out with SQL Server 2008 Migrating to SQL Server 2008 and leveraging new features Testing a SQL Server environment before an upgrade Does upgrading to SQL Server 2008 fit your business? Meeting business needs with SQL Server full-text search Using dynamic management views to improve SQL Server index effectiveness

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

outsiders from gaining access, even if only inadvertently. An article on the SQL Server security model at Developer.com has good advice about how to use SQL Server's native features to prevent user-account-based attacks.

SQL injection

This is one of the sneakiest methods to subvert SQL Server. SQL injection involves submitting malformed data to SQL Server, typically through a Web form, which can be executed as a command. (For instance, SQL injection attacks have been used to subvert the popular phpBB bulleting-board forum software. Even though phpBB uses MySQL, the principles are the same.) The SQL Security site explains how SQL injections work and how to avoid them, including testing tips.

Data protection

Encrypting data and procedures to keep out prying eyes is a new but rapidly-growing field for SQL Server. The full scope of in-database encryption and protection probably deserves its own piece, but SQL Server 2005 now has it as a standard feature to encrypt data and third-party products like SQL Shield offer it for earlier versions of SQL Server.

More information from SearchSQLServer.com: