InfoSec Reviews – Securing SQL Server

Book Title: Securing SQL Server

Subtitle: Protecting Your Database from Attackers

Author: Denny Cherry

Publisher: Syngress

Date of Publishing: March 2011

ISBN(13): 9781597496254

Price (UK&US price Ð full price, not discounted price): £30.99,   $49.95

URL of Amazon UK Web Site: Securing SQL Server: Protecting Your Database from Attackers

URL of Amazon US Web Site: Amazon.com

URL of Publisher Site: Syngress

One of my areas of expertise is hardening.  I collect hardening guides, and I have quite a large collection.  So when this book was made available I thought that I must review this! Whilst most vendors provide at least some guidance on the security configurations of their products, I also like to refer to independent reference material.  This can take the form of publications from organizations, such as NSA, NIST, DoD/STIGs, CIS or OWASP, or indeed a published book.  From the point of view of decent information, however, SQL Server has proved to be a bit of problem in recent years.  Microsoft does publish some good material, but it is hardly independent.  In recent times the only independent material I could find was published by Center for Internet Security (CIS), but this referred only to SQL Server 2005 (Security Configuration Benchmark for Microsoft SQL Server 2005).  Textbooks on SQL Server normally have a section on security, but frequently the subject is covered in 20, or if you are lucky, 30 pages.  Therefore, I welcomed a book on the subject that covers SQL 2000 all the way through to SQL Server 2008 R2, as well as coverage of the latest SQL Azure product.

The book is 250 pages long and is divided into nine chapters. The first chapter focuses on securing the network and describes the placement of a database server in different types of network. Chapter two talks about how to use encryption to protect data.  It provides a very short introduction to cryptography and I would advise anyone wanting to become familiar with this topic to obtain more detailed information.  It then goes on to describe some of the encryption facilities provided by SQL Server 2005 and later also explaining how to encrypt data at the application tier using .NET functions. This chapter also introduces the Transparent Data Encryption feature introduced in SQL Server 2008.  Finally, it examines different techniques to encrypt data on the wire looking at: SQL Server over SSL, IPSEC and fibre channel/iSCSI (including the use of EMCÕs PowerPath). Although a lot these mechanisms require the use of a PKI, very little information is given about how to use a PKI.  Chapter three looks at password security, including how the client-to-server authentication is performed using either Windows Kerberos tickets or server-side usernames and passwords. One surprising thing I found is that the book did not mention the term Òmixed modeÓ, although it does explain the difference between Windows authentication and SQL Server authentication. The chapter also explains Service Principle Names and connection strings.  Chapter four goes on to explain how to secure the instance, the typical lockdown steps you would find in a hardening guide.  These include selected the authentication method (as described in Chapter three) and renaming or disabling the SA account and minimizing permissions. Chapter five then follows on describing additional security mechanisms you should consider when you have an Internet-facing SQL Server and associated applications, including Database Firewalls and User Access Control (UAC).  Chapter six then describes one of nastiest attacks against database applications, the infamous SQL injection attack.  It explains how they are launched and how to protect against them.  Chapter seven looks at backup security, especially with regards to encrypted backups. Chapter eight then goes on to explain auditing, looking at some of the auditing facilities in SQL Server and the events that can be generated. The final chapter looks at the rights, permissions & privileges available to SQL Server administrators when setting up an instance. It should be noted, however, that this chapter is primarily focused on Operating System rights.  This book also contains an appendix with checklists for PCI, Sarbanes-Oxley and HIPPA (fairly high level).

Securing SQL Server is a must read for any architect or database administrator wanting to secure their SQL Servers.  Given the sensitive data that SQL Servers could hold, it is vital that one understands the potential attacks and how to protect yourself from them Ð and this is the book to help you understand.

Marks: 4 out of 5

****