| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
SQL Server Security: The Basics | |
| |
| |
SQL Server History | |
| |
| |
Editions of SQL Server | |
| |
| |
General Database Security | |
| |
| |
SQL Server Security Vulnerabilities | |
| |
| |
| |
Under Siege: How SQL Server Is Hacked | |
| |
| |
Picking the Right Tools for the Job | |
| |
| |
Data or Host? | |
| |
| |
Attacks that Do Not Require Authentication | |
| |
| |
Attacks That Require Authentication | |
| |
| |
Resources | |
| |
| |
Code Listing 1 | |
| |
| |
Code Listing 2 | |
| |
| |
Code Listing 3 | |
| |
| |
| |
SQL Server Installation Tips | |
| |
| |
Planning an Installation | |
| |
| |
Operating System Considerations | |
| |
| |
Running the Installer | |
| |
| |
Locking Down the Server | |
| |
| |
Checklist | |
| |
| |
| |
The Network-Libraries and Secure Connectivity | |
| |
| |
Client/Server Connectivity | |
| |
| |
Secure Sockets Layer | |
| |
| |
SQL Server Network-Libraries | |
| |
| |
Configuring Connections | |
| |
| |
Best Practices | |
| |
| |
| |
Authentication and Authorization | |
| |
| |
Authentication | |
| |
| |
Authorization and Permissions | |
| |
| |
Syslogins, Sysprotects, Syspermissions, and Other Mysteries | |
| |
| |
Best Practices | |
| |
| |
| |
SQL Server in the Enterprise | |
| |
| |
SQL Server Replication | |
| |
| |
Multiserver Administration | |
| |
| |
Active Directory Integration | |
| |
| |
| |
Auditing and Intrusion Detection | |
| |
| |
Case Study | |
| |
| |
SQL Server Auditing | |
| |
| |
SQL Server Alerts | |
| |
| |
| |
Data Encryption | |
| |
| |
Encryption Explained | |
| |
| |
Hashing Algorithms | |
| |
| |
Salts | |
| |
| |
Key Management | |
| |
| |
Built-In Encryption Functions | |
| |
| |
Encrypting Custom Stored Procedures | |
| |
| |
Encrypting SQL Server Table Data | |
| |
| |
Encrypting SQL Server Network Traffic | |
| |
| |
Middle-Tier Encryption | |
| |
| |
Third-Party COM Components | |
| |
| |
CryptoAPI | |
| |
| |
| |
SQL Injection: When Firewalls Offer No Protection | |
| |
| |
SQL Injection Basics | |
| |
| |
Case Study: Online Foreign Exchange System | |
| |
| |
Advanced Topics | |
| |
| |
SQL Injection Defense | |
| |
| |
Best Practices | |
| |
| |
| |
Secure Architectures | |
| |
| |
Defense In Depth | |
| |
| |
Security Requirements | |
| |
| |
Planning | |
| |
| |
Development | |
| |
| |
Testing | |
| |
| |
Deployment | |
| |
| |
Maintenance | |
| |
| |
| |
System and Extended Stored Procedure Reference | |
| |
| |
Limiting the Risks of Stored Procedures | |
| |
| |
Stored Procedure Attack Strategies | |
| |
| |
High-Risk System and Extended Stored Procedures | |
| |
| |
Defensive Strategies | |
| |
| |
| |
Additional Technologies that Impact SQL Server Security | |
| |
| |
Visual Studio, Microsoft Office, and COM Connectivity Tools | |
| |
| |
SQL Server Mail Interfaces | |
| |
| |
Internet Information Server Integration | |
| |
| |
SQL Server Developer and Administrator Tools | |
| |
| |
| |
Connection Strings | |
| |
| |
Properties | |
| |
| |
Sample Connection Strings | |
| |
| |
Where to Place Connection Strings | |
| |
| |
| |
Security Checklists | |
| |
| |
SQL Server Version Checklist | |
| |
| |
Post-Install Checklist | |
| |
| |
Maintenance Checklist | |