Securing SQL Server

Just Because It Isn’t a Password Doesn’t Mean It Shouldn’t Be Encrypted

Target has done a number on us as customers by having not just customer information but Personally Identifiable Information specifically.

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

If Target has encrypted all the PII which sat within their database then this data breach wouldn’t have that big a deal because the data which was stolen would have been encrypted and useless to the thieves.  However based on the fact that Target had to announce the breach we are left to assume that the data wasn’t encrypted.

Because someone (probably a developer or project manager) made the decision to store all this PII in plain text instead of taking the time and CPU power to encrypt this information we the customers of Target have to pay the price.  And there is nothing that we can do about this as customers other than not shop there any more, which in reality this isn’t always an option.

As IT workers we need to push our employers and clients to ensure that they are properly encrypting all PII data possible so that the customers and general public aren’t put through this sort of thing.  Pushing to make this happen won’t make us popular with managers, or co-workers as it does add more work to the workflows and more work in general, but this is something which we must start doing.  And I’m not talking about encrypting data when at rest, but actually encrypting the data in the tables so that when an attacker exports the data from the tables using a basic select statement they get useless information, otherwise the entire data encryption process was pointless.

Someone within organizations needs to step up and start bringing this up in meetings.  If you don’t do it, no one will and this sort of massive data theft will happen again.  Just because you don’t work in a large retailer doesn’t mean that you shouldn’t be bringing this up in your company.  EVERY company needs to be thinking about this because you never know how much information the systems will be holding or how these systems will be used in the future, so it’s best to plan for the best now.


Amazon, Microsoft, Securing SQL Server

Second Edition of Securing SQL Server now longer available for pre-order. It’s Shipping!

I’m afraid that I’ve got some bad news.  You can no longer pre-order Securing SQL Server 2nd Edition from Amazon.

Instead you have to settle for ordering the book outright and having it shipped to you.  That’s right, no more being a pre-order book, it’s published and available to be shipped directly to you.  Currently Amazon is selling the book at full price which is $49.95, but if you have Amazon Prime it is available for Amazon Prime shipping.  Because it is considered to be a text book you get a $5 Amazon MP3 Credit (what ever terms and conditions that Amazon chooses do apply).

This is a totally updated edition of the book including all sorts of new information about security within SQL Server 2012.  I of course cover things like how to secure AlwaysOn Availability Groups, how to use user defined server roles, contained users, etc. I also dive into how to properly secure SQL Server Reporting Services and SQL Server Analysis Services so they can’t be used to access data that people shouldn’t have access to.

All in all this book is much larger with Amazon showing it at 408 pages compared to just 272 pages for the 1st edition.  If you find someone cheaper to purchase it make sure that you are in fact ordering the second edition.  The ISBN number is 1597499471.

I hope that you pick up a copy of the book and that it is useful for you in securing your SQL Server environment.


Amazon, Securing SQL Server

Securing SQL Server 2nd Edition Coming Soon

I’m pleased to be able to announce that the 2nd edition of Securing SQL Server is going to be available soon.  It’s just been made available for pre-order on  The second edition comes in at about 350 pages (according to Amazon, I don’t actually have a copy of it yet) while the first edition came in at about 270 pages so there has been a LOT of material added to the book.

While a lot of the new information is focused on SQL Server 2012, there is also a lot of new material which relates to older version of SQL Server including chapters on SQL Server Analysis Services and SQL Server Reporting Services, information on Instant File Initialization, EXECUTE AS, Database Firewalls, SAN Security, Actual Data Security (no idea how this got missed the first time around, but that’s to Brent Ozar for pointing it out).

As far as the SQL Server 2012 information you’ll find updated information about the SHA2 hashing algorithms, Securing AlwaysOn Availability Groups, Security and SQL Server Clustering, Security and Contained Databases and a lot more.

If you already have a copy of the 1st edition I encourage you to take a look at the second edition as well.  I know that it’s really soon for a second edition of a book (the first edition just came out February 2011, but this new edition comes on the release of SQL Server 2012.

Hopefully you pre-order you copy today.


P.S. Yes this edition will be available for the Kindle as well, that takes a little time.  As soon as I know that it’s been posted for the Kindle (usually happens a little after Amazon gets the physical books) I’ll post another announcement here.

P.P.S. If you visit my site I’ve updated everything there for the new edition.  You can always find the old edition listed on the Other Books page on that site or on the Books page on