Book Review: SQL Server Security Distilled, by Morris Lewis
Last updated: December 16th '02 | Best viewed with: All popular browsers | Best viewed at: 1024x768 | Links to external sites will open in a new window

About myself
My technical skills
My favorites
My picture album

Shortcut keys
My code library

VB resources
SQLServer resources
SQLServer books
Replication FAQ
Scripting resources
ASP resources

Search my site
Sign my guestbook
Contact information

This month's 2 click survey:
Is .NET important for a database professional?

SQL Server Articles New

Click here to find out the top 15 SQL Server books purchased by this site's visitors! NEW

Database encryption for SQL Server and MSDE:

Featured Book:
Real-World SQL-DMO for SQL Server, by Allan Mitchell and Mark Allison
NEW!!! Subscribe to my newsletter:
Want to keep in touch with the latest in SQL Server world? Email with 'subscribe' in the subject line

Title: SQL Server Security Distilled
Author: Morris Lewis
Publisher: Curlingstone
ISBN: 190434707X
Pages: 300
Click here for more information or to buy this book from: or or

Click here to read a sample chapter from this book!

This book review is divided into the following sections:

What this book covers?

SQL Server Security Distilled

  • An in-depth look at SQL Server security
  • For SQL Server professionals
  • Covers versions 6.5, 7.0, and 2000

Securing SQL Server is one of the most important responsibilities of the SQL Server professional. Ensuring your data is safe requires a combination of good systems and database administration, and intelligent application design - weaving a security plan that matches the capabilities and vulnerabilities of each contributing part.

But at its root, security is concerned with controlling access - authenticating who can access the data on the server, authorizing what users can do with that data, and securing data as it is transported. These core topics are the focus of this book.

SQL Server Security Distilled shows you:

  • What you can do to secure data in SQL Server
  • How SQL Server handles authentication and authorization in different versions
  • How SQL Server security integrates with Windows security
  • The security pros and cons of different transport protocols
  • Ways to tailor SQL Server security to different applications, including client-server and Web applications
  • How to secure DTS packages
  • The implications of different types of replication for security
  • The security features of SQL Server CE and its server-side agents

My review of this book:

At last!!! Yes, at last, we have a book dedicated to SQL Server security. It's been a long due, and finally Morris Lewis filled the gap by coming up with this new book "SQL Server Security Distilled", which purely focuses on all things SQL Server security. Thanks to Curlingstone Publishing, I had a chance to review this book.

It is a very concise, yet comprehensive book on SQL Server security (hardly 300 pages). Good thing about this book is, it covers SQL Server security in all three major versions of SQL Server, that can be found in production environments, SQL Server 6.5, 7.0 and 2000. Very nice to see SQL Server security guru like Chip Andrews on the list of technical reviewers of this book.

Had a chance to glance through all the chapters of this book and am impressed with the quality of the information and the depth at which topics are covered. Author often refers to undocumented registry locations, where appropriate. It is a useful book for SQL Server database administrators at all levels. If you are a senior DBA, it serves you as a security reference. Junior to intermediate level SQL Server DBAs will benefit from this book as well, as it helps them understand how SQL Server security works, and how one should secure data in all its states, from prying eyes. It even helps database developers by introducing them to secure coding techniques. Overall, a good book and I highly recommend it.

Now let me walk you through the chapters:

Chapter 1: A Security Roadmap
This chapter covers the basic security concepts, Authentication and Authorization and goes on to discuss the different authentication mechanisms available in SQL Server 6.5, 7.0 and 2000 and even discusses the Kerberos and Active Directory (AD) authentication. Then it covers how authorization can be implemented using logins, user accounts, groups and roles.

Chapter 2: Authentication Logins
The first part of this chapter focuses on creating strong passwords, and discusses how passwords are handled in different authentication methods, and how secure SQL Server and Windows passwords are. The second part of this chapter focuses on how the authentication process works in SQL Server 6.5, 7.0, 2000, with different server net libraries like TCP/IP, named pipes, multiprotocol etc. It also shows you how to monitor the network login traffic using network monitoring and sniffing tools. The remaining part of this chapter concentrates on logins and fixed server roles.

Chapter 3: Database Security in SQL Server 6.5
This chapter covers how security works in SQL Server 6.5. Discusses the basics like aliasing, logins, users, granting and revoking permissions, object ownership etc., with examples. Goes on to discuss advanced topics like ownership chains.

Chapter 4: Database Security in SQL Server 7.0 and 2000
This chapter covers SQL Server 7.0 and 2000 security in detail. Starts off by examining the system table sysusers. Then there is a detailed section on managing permissions, called "The Art of Assigning Permissions". Then it covers database roles and object ownership chains.

Chapter 5: Designing Security for Applications
First part of this chapter helps you choose an authentication scheme among SQL Server authentication, Windows authentication, Kerberos security. Second part of this chapter covers how to secure your SQL Server, especially, when it is on the Internet. Author provides you with detailed steps and guidelines one should follow to tighten up security of production SQL Server computers. Next part helps you understand how to use technologies like Virtual Private Networks (VPN), Private Subnetwork, IPSec etc for protecting SQL Server data. The remaining part of this chapter covers SQL Injection attacks in detail.

Chapter 6: Securing Data Transformation Services (DTS)
Starts off with basics like creating , saving and managing DTS packages, and goes on to cover aspects like password protecting DTS packages, package versioning, different methods of package execution etc. There's a section on SQL Server Agent account permissions, and ownership issues involved in moving DTS packages from one server to another.

Chapter 7: Replication Security
Covers the basics of replication and introduces you to snapshot, transactional and merge replication and shows you how to secure different types of replication topologies. A section is dedicated to securing replication data stream.

Chapter 8: Managing Security for SQL Server CE
Last but not the least, this chapter covers various security aspects related to SQL Server CE, the future of mobile databases.

Appendix A: References
Contains links to valuable SQL Server and Windows security related books, site, tools etc.

The Author:

Morris Lewis has been smitten with Structured Query Language since the first time his professor wrote Select * from Authors on the chalkboard 14 years ago. He has worked with no other database server since he first installed SQL Server 4.21a on his 16 MHZ, Intel 386 computer with all of 32 megabytes of RAM running Windows NT 3.51, more than 8 years ago. With the mantra "It is ok to worry if they really are out to get you," he has focused on all aspects of securing Windows and SQL Server since he connected his first server to the Internet, six years ago. Now, he runs a training and consulting company, Holistech Incorporated (, that focuses on helping clients create better and more secure database applications, and on teaching them how to avoid the mistakes that can lead to problems in the future. He can be contacted at if you need help keeping the bad guys out of your applications.

Click here for more information or to buy this book from: or or

Click here to read a sample chapter from this book!