SECURITY AND SQL SERVER

In today's climate of heightened security, you should be protecting 
your
SQL Server from cyberattack.

In a perfect world, users only would have the server access they need 
to
perform their jobs. While you can't achieve this lofty goal, you can
take steps to reduce risk.

The following steps will help to secure your server/application.


1. Do not let security or access concerns be addressed in the waning
days or last moments of an application development life cycle. Address 
these
issues up front and continuously throughout the project. By doing so,
you will have a good start going into step 2.

2. Establish well-documented access rights to your application. Be as
detailed as possible. This will be most appreciated by the next person
administering the SQL server or SQL application.

3. Make effective use of Roles within SQL Server. By far, this is most
useful in aiding permission management to SQL Server and its data.

4. Isolate the actual SQL Server from open areas and rooms. Locked
server rooms are preferred.

5. Do not leave the console of the SQL Server logged in.

6. Beware of those third-party and native Microsoft tools that allow
remote control.

7. While the MSSQLServer and SQLServerAgent probably should have local
administrator privileges to the local server, they should not have 
Domain
administrator privileges.

8. Consider some level of auditing.

9. Do not use generic accounts like administrator and give the password
to 10 different people.

10. Use common sense. A security policy should be tight but flexible in
order to accommodate user and application requirements changes.

A good deal of security starts with your network/system administrator.
While these relationships can sometimes overlap with DBA duties, try to
form a good working relationship with all involved so that everyone 
will
benefit from a tight security policy.

----------------------------------------