Unless James Bond is in the picture, security is usually not a sexy topic. However, we all lament the lack of security when it directly affects us or when the amount of security is an encumbrance which provides no perceivable benefit. That's why I put a full down pre-con session for SQL Rally together to get it right with respect to SQL Server. And this pre-con isn't just for SQL Server professional types, either. It's also for the audit and security types and it may provide 8 hour of CPEs for their current certifications (I need to verify this).
Vote for your choices at the PASS SQLRally event page.
So what's my pre-con all about? My learning objectives are that you come away with a knowledge of:
- How attackers look to go after a system.
- What to look at and harden at the operating system level.
- A solid understanding of SQL Server security principles and securables.
- How to instrument SQL Server for proper auditing.
- How to apply encryption at the column and database level.
Here's the abstract which describes what we'll cover:
In this pre-conference seminar, we will look at best practices and practical methods for securing and auditing Microsoft SQL Server. We'll start from the operating system and work our way into SQL Server itself down to the object and column level. In this full-day class, you'll come away with a solid understanding of general security principles and how to apply them to your SQL Server installations, how attackers like to go after servers and database servers in particular, the security model for the Microsoft SQL Server database engine, how it interacts with the Windows operating system, which security features are available in each version and edition of SQL Server, how to audit for permissions, rights, and data access across SQL Server 2000 through 2008, how to properly report and alert on suspicious or unusual activity, and finally, what encryption options are available within SQL Server.
And here's the schedule:
- Hours 1 & 2:
- General Security Principles
- Attack Methodology
- Risk Assessment
- Threat Vector Analysis
- Hour 3:
- Hardening the OS
- Minimizing SQL Server Surface Area
- Hours 4 & 5:
- SQL Server Security Principals
- SQL Server Securable model
- Ownership Chaining
- Implicit Server and Database Level Permissions
- Hour 6:
- Auditing Data Access within SQL Server
- Auditing Changes within SQL Server
- Preventing Unauthorized changes in SQL Server
- Hour 7:
- Security event collection mechanisms
- Security event reporting mechanisms
- Security event alerting mechanisms
- Hour 8:
- Built-In Encryption options
- Column-Level
- Database-Level