Every week you hear a new story about some site that got hacked via SQL Injection or that backup tapes have been lost/misplaced. Data is the most important asset of an organization, without data the company has nothing. Unfortunately this data is also highly prized by crooks, they want access to this data in order to spam you with junk or open credit cards after they have stolen your identity.

Securing SQL Server: Protecting Your Database from Attackers by Denny Cherry is a book that frankly any person that manages SQL Server instances or is a SQl Server developer should read.

The good thing is that at 238 pages (not counting the index) it won’t take you weeks to get through the book. You get all the information you need in a condensed matter.

The book has 9 chapters and 1 appendix, below is a list of the chapters

Chapter 1: Securing the Network

Chapter 2: Database Encryption

Chapter 3: SQL Password Security

Chapter 4: Securing the Instance

Chapter 5: Additional Security for an Internet Facing SQL Server and Application

Chapter 6: SQL Injection Attacks

Chapter 7: Database Backup Security

Chapter 8: Auditing for Security

Chapter 9: Server Rights

Appendix A: External Audit Checklists

These chapters cover pretty much everything you need to know about securing SQL Server. I won’t go into detail what the chapters are about, the name of the chapter tells you pretty much what is covered. If you are still running everything as sa or have BUILTINAdministrators enabled, learn why this is a bad idea. There are many best practices outlined in this book, you should take a note of all of them and implement them in your organization.

I also really like the real world examples that Denny uses in the book to highlight that disasters do happen and companies go out of business because of it.

I highly recommend this book, if you happened to get crappy weather this Memorial Day weekend, why not pick up this book and learn something. If you apply the material from the book in securing your servers you will be thankful in the future…nobody wants to get the call that the server got hacked or backups are missing