Robert Hurlbut Blog

This weekend, I was installing SQL Server 2000 on one of my client's servers (essentially upgrading from SQL Server 7.0).  I was looking for a good SQL Server resource on security in my library when I found this:  SQL Server Security by Chip Andrews, David Litchfield, and Bill Grindlay (published 2003).  I read a few chapters for a quick review, and so far this is an impressive book.  It is an easy read, but it is also full of very useful information.  The best part, and especially for me this weekend, was the extensive security checklist included at the end of the book.  This details how to lock down SQL Server (7.0 or 2000) after it has been installed.

Here is a summary of the chapters in the book:

• Chapter 1- SQL Server Security: The Basics discusses SQL Server and database security issues
• Chapter 2- Under Seige: How SQL Server is Hacked talks about types of attacks and provides code
• Chapter 3- SQL Server Installation Tips covers some practices for installing SQL Server securely
• Chapter 4- The Network Libraries and Secure Connectivity covers best practices for SSL and more
• Chapter 5- Authentication and Authorization talks about various ways to restrict access
• Chapter 6- SQL Server in the Enterprise discusses active directory and server replication
• Chapter 7- Auditing and Intrusion Detection provides information on monitoring access
• Chapter 8- Data Encryption covers methods for encrypting data transmissions in SQL Server
• Chapter 9- SQL Injection: When Firewalls Offer No Protection covers this insidious method of attack
• Chapter 10- Secure Architectures gives a comprehensive overview of planning, testing and deploying

Most of this was a review for me, but I found some fresh ideas about how to set up a more secure developer database environment.  Overall, it's a great book, and I highly recommend it to anyone developing applications using SQL Server.