- Ensure the physical security of each SQL Server, preventing any unauthorized users to physically accessing your servers.
- Ensure that your SQL Servers are behind a firewall and are not exposed directly to the Internet
- Avoid creating network shares on any SQL Server.
- Only install required network libraries and network protocols on your SQL Server instances.
- Only give SQL Server service accounts the minimum rights and permissions needed to run the service. In most cases, local administrator rights are not required, and domain administrator rights are never needed. SQL Server setup will automatically confgure service accounts with the necessary permissions for them to run correctly, you don’t have to do anything.
- Run each separate SQL Server service under a different Windows domain account.
- Use strong passwords for all SQL Server login accounts.
- Turn on login auditing so you can see who has succeeded, and failed, to login.
- Remove sample databases from all production SQL Server instances.
- Add operating system and SQL Server service packs and hot fixes soon after they are released and tested, as they often include security enhancements.
Users and permissions management:
- Assign the SA account a very obscure password, and never use it to log onto SQL Server. Use a Windows Authentication account to access SQL Server as a sysadmin instead.
- When possible, use Windows Authentication logins instead of SQL Server logins.
- Remove user login IDs who no longer need access to SQL Server.
- Remove the guest user account from each user database.
- Never grant permission to the xp_cmdshell to non-sysadmins.
- Don’t use the SA account, or login IDs who are members of the Sysadmin group, as accounts used to access SQL Server from applications.
- Give users the least amount of permissions they need to perform their job.
- Use Windows Global Groups, or SQL Server Roles to manage groups of users that need similar permissions.
- Don’t grant permissions to the public database role.
What is LDAP injection?
The T-SQL LoginProperty function in SQL Server 2005
How to: Use Active Directory to authenticate users
How to put log4net configs outside of the application configuration file