Securing SQL Server
Protecting Your Database from Attackers
Third Edition
Denny Cherry
Table of Contents
Copyright
Acquiring Editor: Chris Katsaropoulos
Editorial Project Manager: Benjamin Rearick
Project Manager: Surya Narayanan Jayachandran
Designer: Mark Rogers
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright 2015, 2012, 2011 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
British Library Cataloging-in-Publication Data
A catalog record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
ISBN: 978-0-12-801275-8
For information on all Syngress publications visit our website at http://store.elsevier.com/
Dedication
This book is dedicated to my lovely wife Kris who is gracious enough to allow me to spend every waking moment working on this, and to spend countless nights, weekends, and entire weeks traveling in support of the SQL Server community.
Tim is short, really short. Like garden gnome short.
Author Biography
Denny Cherry is the owner and Principal Consultant for Denny Cherry & Associates Consulting. Denny has over 15 years of experience managing SQL Server, including some of the largest in the world. Dennys areas of technical expertise include: system architecture, performance tuning, replication, and troubleshooting. Denny currently holds several of all the Microsoft Certifications related to SQL Server for versions 2000 through 2012 including being a Microsoft-Certified Master for SQL Server 2008. Denny also has been awarded the Microsoft MVP several times for his support of the SQL Server community. Denny has written numerous technical articles on SQL Server management and how SQL Server integrates with Enterprise Storage, in addition to working on several books.
Technical Editor Biography
As a Head Geek for SolarWinds, Thomas works with a variety of customers to help solve problems regarding database performance tuning and virtualization. He has over 15 years of IT experience, holding various roles such as programmer, developer, analyst, and database administrator. Thomas joined SolarWinds through the acquisition of Confio Software, where he was a technical evangelist. He also serves on the Board of Directors for the Professional Association for SQL Server. Thomas is an avid blogger and the author of DBA Survivor: Become a Rock Star DBA , a book designed to give a junior to mid-level DBA a better understanding of what skills are needed in order to survive (and thrive) in their career. He is a Microsoft Certified Master, SQL Server MVP, and holds a MS in Mathematics from Washington State University as well as a BA in Mathematics from Merrimack College.
Acknowledgments
Id like to thank everyone who was involved in putting this book, my second solo project, together (if I forgot you on this list, sorry). This includes my editor Heather, my friends/coworkers/peers/whatever Jessica, Thomas, Mark, Aaron, Rod, Diana, Sergey, and Patrick who all helped me out greatly in putting this book together.
Introduction
As you move through this book you may notice that this book doesnt gently flow from one topic to another like a lot of technical books. This is intentional as many of the subjects covered in this book are going to be related, but separate fields of study. As you move through the various chapters in this book youll be able to secure a portion of your infrastructure. If you think about each chapter of the book as an independent project that you can take to your management the way that the book is structured may make a little more sense. My goal for this book is that after reading it youll have the most secure database that you can have within your environment. If you purchased the first edition of this book you will see a lot of material that is same. The reason for this is that this is all still relevant, and didnt need to be rewritten. Every chapter in this book has been updated in some way with more information and new information for SQL Server 2014, so every chapter is worth the reread.
Our book starts with looking at how we gather our security requirements. What are the objectives that we need to worry about, and when should we be identifying them.
In we look outside of the database because without good network security properly done database security is next to impossible. This includes such as network design and firewalls. In larger shops this will be outside the realm of the database professional, but in smaller shops there may be a single person who is the developer, DBA, systems administrator.
There are several encryption keys within the Microsoft SQL Server environment including the Service Master Key and the Database Master Key. We will look at these options as well as look at how to manage these keys using both native tools and third party key managers.
There are a lot of database encryption options available to the DBA. Usually many, many more than most people realize. As we move through this chapter well start by looking at how to encrypt the data within the database itself, then move to having the SQL Server automatically encrypt all the data, having the MPIO driver encrypt all the data, and having the HBA encrypt all the data. Not only will we look at how to do each one, but what the upsides and the downsides of each of these techniques are.