Basic SQL Server security resources

From Microsoft security recommendations to SQL injection prevention, contributor Serdar Yegulalp offers basic resources to support your SQL Server lock down efforts.

Keeping SQL Server secure is not a simple matter of applying hotfixes. The self-education required to keep SQL

Server safe is far reaching, covering a number of different topics. This collection of quick resources will help you understand the scope and dimension of SQL Server security problems that you must be ready for.

Microsoft security

Microsoft's own site conglomerates quite a bit of basic SQL Server security information in one place. Obviously this advice is coming from an MS-centric perspective, which suggests that to get secure is to upgrade to SQL Server 2005, which ships by default in a heavily locked-down configuration. If this isn't practical, it does provide advice for how to keep earlier versions secure.

SQL Security is a great third-party "one-stop-shop" for generic security advice as well, with details about best practices and auditing tools.

Malware applications

SQL-specific malware, like the Slammer worm, are crafted to exploit buffer overflows in SQL Server and allow someone else's code to run (with predictably bad consequences). Net-security.org maintains a list of all SQL worms currently in the wild, along with fixes and detailed briefings about how they work.

Passwords and user accounts

Passwords and accounts must be set up and handled with care to prevent outsiders from gaining access, even if only inadvertently. An article on the SQL Server security model at Developer.com has good advice about how to use SQL Server's native features to prevent user-account-based attacks.

SQL injection

This is one of the sneakiest methods to subvert SQL Server. SQL injection involves submitting malformed data to SQL Server, typically through a Web form, which can be executed as a command. (For instance, SQL injection attacks have been used to subvert the popular phpBB bulleting-board forum software. Even though phpBB uses MySQL, the principles are the same.) The SQL Security site explains how SQL injections work and how to avoid them, including testing tips.

Data protection

Encrypting data and procedures to keep out prying eyes is a new but rapidly-growing field for SQL Server. The full scope of in-database encryption and protection probably deserves its own piece, but SQL Server 2005 now has it as a standard feature to encrypt data and third-party products like SQL Shield offer it for earlier versions of SQL Server.


More information from SearchSQLServer.com:



 

This was first published in December 2005

Dig deeper on SQL Server Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchBusinessAnalytics

SearchDataCenter

SearchDataManagement

SearchAWS

SearchOracle

SearchContentManagement

SearchWindowsServer

Close