Security has always been an important aspect of database management. But according to James Hamilton, one of three architects on the Microsoft SQL Server development team, some of the ground rules for how a DBA needs to think about security have changed. I recently gleaned some interesting perspectives about security during a conversation with Hamilton, who has responsibility and vision for "thinking about security" as it relates to SQL Server.
Hamilton says that in the not-so-distant past, companies locked most databases behind closed doors and allowed little access from outside the corporate walls. Security practices addressed preventing internal threats from rogue users or accidental misuse. But most companies now have mission-critical databases that face customers and an interface exposed on the public Internet or partner intranet. This approach creates new sets of security vulnerabilities that DBAs need to consider. Hamilton tells me that Microsoft is taking steps to help customers plan for and protect against some of these new threats.
Regular SQL Server Magazine UPDATE readers know that I've often preach about information overload—the phenomenon of drowning in a sea of information. My thesis is that Microsoft does a great job of releasing information about its products. But weaving together a set of best practices is difficult because the information Microsoft provides can be disjointed and spread across narrowly focused white papers or Knowledge Base articles. Acquiring comprehensive security expertise is especially difficult because a strong security plan often requires skills and information from multiple product disciplines.
Hamilton says Microsoft recognizes this problem and is busy preparing a new and improved best-practices guide that specifically addresses managing security vulnerabilities in a SQL Server environment. This resource will be ready for public consumption this summer, but Microsoft plans to give SQL Server Magazine UPDATE readers a peek at some of the content before then. I'll share a few of the most interesting tips and tricks in an upcoming commentary. Until then, check out the following list of SQL Server security resources. (My thanks to the people at Microsoft who compiled the list!) Tell me about other resources that should be on the list. I'll add them and periodically publish an updated list.
SQL Server 2000 Security
http://www.microsoft.com/sql/techinfo/administration/2000/security.asp
SQL Server Security
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/default.asp
SQL Server 2000 Operations Guide, Chapter 3—Security Administration
http://www.microsoft.com/technet/prodtechnol/sql/maintain/operate/opsguide/sqlops3.asp
SQL Server 2000 C2 Administrator's and User's Security Guide
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sqlc2.asp
SQL Server 2000 Security White Paper
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp
SQL Server 2000 Resource Kit, Chapter 10—Implementing Security
http://www.microsoft.com/technet/prodtechnol/sql/reskit/sql2000/part3/c1061.asp
Microsoft SQL Server 2000 Security
http://www.microsoft.com/technet/prodtechnol/sql/deploy/confeat/05ppcsqa.asp
SQL Server 2000 Administrator's Pocket Consultant by William R. Stanek, Excerpt from Chapter 5
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0735611297&p=technet&s=29736
SQL Server 7.0 Administrator's Companion, Chapter 7—Managing Security
http://www.microsoft.com/technet/prodtechnol/sql/proddocs/admincmp/75517c07.asp
SQL Server 7.0 Resource Guide, Chapter 16—Product Security
http://www.microsoft.com/technet/prodtechnol/sql/reskit/sql7res/part10/sqc15.asp
SQL Server 7.0 Security White Paper
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/secure.asp
INF: List of Bugs Fixed by SQL Server 7.0 Service Packs
http://support.microsoft.com/view/tn.asp?kb=313980
