A growing consciousness of security has brought Microsoft SQL Server database security into focus as never before. Planning for database security should begin early in the development process and there are important vulnerabilities that you need to prevent in your application's SQL Server.
by Ron Talmage
Dec 13, 2002
Page 4 of 4
SQL Server Security Best Practices
What should you do to make your SQL Server as secure as possible? Here's a strategy that can help.
Do the Basics First
These basic steps are recommended so often now that they approach common sense:
Use Windows authentication whenever possible for users and applications
If you are using SQL Server authentication, secure your SA account with a strong password and only let a select few know it
Assign users minimal permissions
Deny access to tables and views in the databasehave your application execute stored procedures to get data
Don't expose your SQL Server to the Internet; if you must, change it from port 1433 to some other port number and filter that port
Give SQL Server and SQL Agent domain logins that do not require administrative access to the server
Apply the latest SQL Server service pack and security patch
Test Using the Microsoft Baseline Security Analyzer
You can use a number of utilities to test your SQL Server. You can go to Microsoft's site and download the Microsoft Baseline Security Analyzer, for example. This utility will scan your system for Windows, IIS, and SQL Server vulnerabilities and will present you a number of recommendations. You can see some sample output from the MBSA in Figure 1.
Ron Talmage heads Prospice, LLC, a database consulting firm based in Seattle. He is a SQL Server MVP, PASS newsletter co-editor, current president of the Pacific Northwest SQL Server Users Group, and also writes for SQL Server Professional and SQL Server Magazine.