What are some things I can do to secure my SQL Server?
Change the password of the “sa†account to something besides null—preferably something of at least eight characters and not found in any dictionary. Remember, the sa account is the SQL Server equivalent to the Windows Administrator account.
Don’t use port 1433 on IP sockets if you’re going to expose the SQL Server to untrusted clients. This may evade less-aggressive attackers scanning for TCP 1433. Do not rely on this alone.
Don’t embed ‘sa’ passwords in applications such as VB/Delphi apps, global.asa files, web.config, or batch files.
Secure the SQL Server database files with tough NTFS permissions - I mean *SECURE*
Don’t leave the xp_cmdshell extended stored proc on the server if you don’t need it ( sp_dropextendedproc ‘xp_cmdshell’ ). This is simply to defend against older worms. Smarter worms will simply re-enable the proc. Once again, not something you want to use a single defense.
Place SQL Servers that transmit vital information on an isolated segment and only allow connectivity through middle-tier applications.
Use the principle of least-privilege. Never give users more rights than they need to complete any task.
