This book is for Danielle Carter–my favorite Disney villain
With repeated, high-profile data security breaches hitting the headlines, security is moving increasingly to the forefront of the minds of data professionals.
SQL Server provides a broad and deep set of security features that allow you to reduce the attack surface of your SQL Server instance, with defense-in-depth and principles of least privilege strategies.
The attack surface of SQL Server refers to the set of features and windows services, which attackers can (and will) attempt to exploit to either steal data or reduce the availability of data and services.
Defense-in-depth is a strategy used across the IT industry, where multiple layers of security are put in place. The idea is that if one layer of security is breached, then another layer will stop the attacker in their tracks.
To fully protect data against attack, SQL Server DBAs, developers, and architects alike must all understand how and when to implement each of the security features that SQL Server offers. This book attempts to address these topics.
The first section of this book begins by looking at how to holistically model threats before deep-diving into each of SQL Server’s main areas of security, providing examples of how to implement each technology.
The second section of this book demonstrates some of the common threats that DBAs may face and how to guard against them. There is always an ethical question around revealing how attackers may try to penetrate your systems, but without knowledge and understanding of vulnerabilities that may be exploited, all too many DBAs do not implement the security measures that could easily avoid attacks from being successful. Every attack type discussed in this book is followed by a demonstration of how to use out-of-the-box SQL Server technologies to proactively stop the attacks occurring.
Many of the code examples in this book use the WideWorldImporters database. This database can be downloaded from github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak
Some chapters also refer to CarterSecureSafe. This is a fictional company and product, which is purely designed to illustrate points made within this book.
I would like to thank Mark Burnett (xato.net) for allowing me to use his weak password list in this book.
I would also like to thank Ian Stirk, for a really good technical review, which has had a positive impact on the quality of this book.
Table of Contents
About the Author and About the Technical Reviewer
About the Author
is an SQL Server expert with over 15 years’ experience in database development, administration, and platform engineering. He is currently a consultant based in London. Peter has written several books across a variety of SQL Server topics, including security, high availability, automation, administration, and working with complex data types.
About the Technical Reviewer
is a freelance SQL Server consultant based in London. In addition to his day job, he is an author, creator of software utilities, and technical reviewer who regularly writes book reviews for www.i-programmer.info .
He covers every aspect of SQL Server and has a specialist interest in performance and scalability. If you require help with your SQL Server systems, feel free to contact him at [email protected] or www.linkedin.com/in/ian-stirk-bb9a31 .
Ian would like to thank Peter Carter, Jonathan Gennick, and Jill Balzano for making this book experience easier for him.
None of us stands alone, and with this in mind, Ian would like to thank these special people: Kemi Amos, Malcolm Smith, John Lewis, Alan Crosby, Penny Newman, Tony Pugh, Stephen Cockburn, Jennifer Warner, John Woods, Tina Vick, Catherine Valentin, Stephen Johnson, Martin Fallon, Sizakele Phumzile Mtshali, Mark Hardman, Mark Northern, Ruhina Kabani, Peter Coombes, Lucy Mwangi, Silvia Alvarado, and Keila Fialho.
Ian’s fee for his work on this book has been donated to the GiveWell charities ( www.givewell.org/charities/top-charities/ ).