Basic SQL Server security resources

Serdar Yegulalp, Contributor

Keeping SQL Server secure is not a simple matter of applying hotfixes. The self-education required to keep SQL Server safe is far reaching, covering a number of different topics. This collection of quick resources will help you understand the scope and dimension of SQL Server security problems that you must be ready for.

Microsoft security

Microsoft's own site conglomerates quite a bit of basic SQL Server security information

    Requires Free Membership to View

    Login

in one place. Obviously this advice is coming from an MS-centric perspective, which suggests that to get secure is to upgrade to SQL Server 2005, which ships by default in a heavily locked-down configuration. If this isn't practical, it does provide advice for how to keep earlier versions secure.

SQL Security is a great third-party "one-stop-shop" for generic security advice as well, with details about best practices and auditing tools.

Malware applications

SQL-specific malware, like the Slammer worm, are crafted to exploit buffer overflows in SQL Server and allow someone else's code to run (with predictably bad consequences). Net-security.org maintains a list of all SQL worms currently in the wild, along with fixes and detailed briefings about how they work.

Passwords and user accounts

Passwords and accounts must be set up and handled with care to prevent outsiders from gaining access, even if only inadvertently. An article on the SQL Server security model at Developer.com has good advice about how to use SQL Server's native features to prevent user-account-based attacks.

SQL injection

This is one of the sneakiest methods to subvert SQL Server. SQL injection involves submitting malformed data to SQL Server, typically through a Web form, which can be executed as a command. (For instance, SQL injection attacks have been used to subvert the popular phpBB bulleting-board forum software. Even though phpBB uses MySQL, the principles are the same.) The SQL Security site explains how SQL injections work and how to avoid them, including testing tips.

Data protection

Encrypting data and procedures to keep out prying eyes is a new but rapidly-growing field for SQL Server. The full scope of in-database encryption and protection probably deserves its own piece, but SQL Server 2005 now has it as a standard feature to encrypt data and third-party products like SQL Shield offer it for earlier versions of SQL Server.

More information from SearchSQLServer.com:


 

This was first published in December 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top