Amazon, Microsoft, Securing SQL Server

Second Edition of Securing SQL Server now longer available for pre-order. It’s Shipping!

I’m afraid that I’ve got some bad news.  You can no longer pre-order Securing SQL Server 2nd Edition from Amazon.

Instead you have to settle for ordering the book outright and having it shipped to you.  That’s right, no more being a pre-order book, it’s published and available to be shipped directly to you.  Currently Amazon is selling the book at full price which is $49.95, but if you have Amazon Prime it is available for Amazon Prime shipping.  Because it is considered to be a text book you get a $5 Amazon MP3 Credit (what ever terms and conditions that Amazon chooses do apply).

This is a totally updated edition of the book including all sorts of new information about security within SQL Server 2012.  I of course cover things like how to secure AlwaysOn Availability Groups, how to use user defined server roles, contained users, etc. I also dive into how to properly secure SQL Server Reporting Services and SQL Server Analysis Services so they can’t be used to access data that people shouldn’t have access to.

All in all this book is much larger with Amazon showing it at 408 pages compared to just 272 pages for the 1st edition.  If you find someone cheaper to purchase it make sure that you are in fact ordering the second edition.  The ISBN number is 1597499471.

I hope that you pick up a copy of the book and that it is useful for you in securing your SQL Server environment.


Amazon, Securing SQL Server

Securing SQL Server 2nd Edition Coming Soon

I’m pleased to be able to announce that the 2nd edition of Securing SQL Server is going to be available soon.  It’s just been made available for pre-order on  The second edition comes in at about 350 pages (according to Amazon, I don’t actually have a copy of it yet) while the first edition came in at about 270 pages so there has been a LOT of material added to the book.

While a lot of the new information is focused on SQL Server 2012, there is also a lot of new material which relates to older version of SQL Server including chapters on SQL Server Analysis Services and SQL Server Reporting Services, information on Instant File Initialization, EXECUTE AS, Database Firewalls, SAN Security, Actual Data Security (no idea how this got missed the first time around, but that’s to Brent Ozar for pointing it out).

As far as the SQL Server 2012 information you’ll find updated information about the SHA2 hashing algorithms, Securing AlwaysOn Availability Groups, Security and SQL Server Clustering, Security and Contained Databases and a lot more.

If you already have a copy of the 1st edition I encourage you to take a look at the second edition as well.  I know that it’s really soon for a second edition of a book (the first edition just came out February 2011, but this new edition comes on the release of SQL Server 2012.

Hopefully you pre-order you copy today.


P.S. Yes this edition will be available for the Kindle as well, that takes a little time.  As soon as I know that it’s been posted for the Kindle (usually happens a little after Amazon gets the physical books) I’ll post another announcement here.

P.P.S. If you visit my site I’ve updated everything there for the new edition.  You can always find the old edition listed on the Other Books page on that site or on the Books page on

Securing SQL Server

180k+ websites attacked because of bad dev code

There is another massive SQL Injection attack going around. This time hitting 180k ASP.NET websites.  The article which I referenced has a decent write up on the actual attack and it links to a post which has detailed information about the attack.  However the article on IT World gives some really poor advice on how to protect yourself from a SQL Injection attack.

There’s no easy way to fix the vulnerability of the database to this attack except to “harden” the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.

Patching SQL Server will NOT prevent SQL Injection attack, at all.  The SQL Server isn’t the attack vector for a SQL Injection attack, the web application is the attack vector.  By the time the SQL Injection attack gets to the SQL Server database (or any database) it’s too late.

SQL Injection is actually really easy to protect yourself from.  Simply stop using dynamically generated SQL  and instead start using parametrized queries (also called bound queries).  That’s it, that’s the big secret.  Yes I understand that writing your .NET code as parametrized queries is harder to write than just doing string concatenation and running the query, but getting your site attacked and putting malware on your customers computers because you didn’t want to do a little typing is just no excuse.

As this is a blog about my book “Securing SQL Server” here’s the sales pitch.  In the book I talk all about how to use parametrized queries.  It really isn’t that hard there is lots of sample code on how to do it.  You don’t need to use stored procedures to use parametrized queries.  You can do it with normal dynamic SQL as well, it works basically the same.

In case you didn’t get my point yet, parametrized queries are the ONLY WAY that you can 100% be sure that you are protecting yourself from SQL Injection attacks.  If you can’t find some links on how to use parametrized queries here are a few links for you PHP, .NET, and more .NET.


Securing SQL Server

Meet the author, get your copy signed

There are several chances to meet the author of Securing SQL Server, ask questions, and get your copy of the book signed.  These include (and are subject to change):

Dallas Tech Fest – August 13th, 2011

SQL PASS – October 11-14, 2011

SQL Saturday 95 – September 17th, 2011

SQL Excursions – May 17-19, 2012

I hope to see you at one (or all) of these great events.  Feel free to bring your copy and get it signed making it a priceless collectable (OK, probably not but I do love signing copies).


Amazon, Kindle

Want to take a look at Securing SQL Server for 30 days?

Thanks to Amazon, now you can rent Securing SQL Server for 30 days, and if you like it you can buy it with the cost of the rental being applied to the cost to buy the digital copy of the book.  This is all done through Amazon’s new ebook rental program for text books (which they have marked my book as being).  So now you can rent the book starting at a little over 1/2 the current price of the book which gives you access to the entire book for 30 days.  After the 30 days is up you can extend your rental or purchase with the initial rental price counting towards your new price (you pay the difference).

As an author I’m not sure how I feel about this, good I guess because it gives people a chance to give the book a try.  As a reader I like this because I can try the book for less, and if I like it keep it.  If it doesn’t serve me any purpose I don’t need to keep it, and it only cost be 1/2 the cash to find out.

You don’t need to have a Kindle to make use of this, just the Kindle app installed on your PC, phone, iPad, etc.


Microsoft, Securing SQL Server

Securing SQL Server will be available at the Tech Ed bookstore

If you are going to Tech Ed 2011, and you were thinking about purchasing a copy of “Securing SQL Server” but you wanted to thumb through it before purchasing, now is your chance.  I’ve just be told that the Tech Ed book store will be stocking “Securing SQL Server”.  If you pick up a copy at Tech Ed and you want it signed I’ll be working at the SQL Server booth most afternoons.  Bring it on by, and I’ll be happy to sign it for you or at least draw funny faces in it.


Securing SQL Server compromised via SQL Injection attack. Someone should have read Chapter 6.

For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack.  Apparently the website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via including their schema).

Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.  Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked.  According to the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”.  Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple.  The account sysadm (which I assume is pretty important) has a password of “qa”.

Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.

Needless to say, if you have an account on and you use that password anywhere, you should probably change that password anywhere else that you use it.

If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks.  The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.


UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the website expired a month ago.  The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a account) but with this error message, I’m not so sure about that.  It’s probably OK, but still…

Review Link, Securing SQL Server

Sean and Jen McCown talk about “Securing SQL Server” on their show.

A couple of weeks ago Sean and Jen McCown (twitter | Sean’s Blog | Jen’s Blog) talked about “Securing SQL Server” on their DBAs@Midnight web show.  While this isn’t a full review, they got the book about six hours before the recorded the show, it does give you a little insight into the book.  Sean was able to read a couple of the sections before he recorded the show, and his response to the book was pretty positive.

Apparently there are a couple of spelling errors that he’s found so far (I already know about the one in the dedication which he didn’t mention), but if those are the biggest problem that he finds with the book I’m doing pretty good.

You can download the video from the DBAs@Midnight – Get Away From Me web page on their site.  They start talking about the book at 34 minutes into the video, and they are done at about the 42 minute mark.  Sean said that he’ll be doing a full review of the book on their IT Bookworm book review site.  If his full review is as positive as this video was, I’ll be a very happy book writer.


Amazon, Kindle, Securing SQL Server

Chapter 1 of “Securing SQL Server” is now available for free on Amazon.

Amazon has posted the entire Chapter 1 of Securing SQL Server up on their site. Go to the books Amazon page and click on the “Read first chapter free ” button (shown below) and you’ll get to read the first chapter right there on your computer.  If you want the sample on your Kindle, go to the Kindle versions page and use the Try it free I talk about below.

This gives you a great chance to take a peek at the first chapter for free, to see if it would be of assistance to you. Now do keep in mind that Chapter 1 isn’t actually about SQL Server specifically, but more about network design and network security.

If you go to the Kindle versions page you can get a sample of the book sent to your kindle using the “Try it free” option on the right of the page (shown below).  It appears that this will send Chapter 1 to your kindle (at least that’s what it sent to me).