SQL 2008 Hardening Advice

Hi All,

I was wondering if anyone could help with the task of hardening a SQL 2008 instance. I have a basic understanding of the audit and policy definition features of SQL 2008, but I was wondering if anyone knew of a guide that I could follow. I think I can manage through it, but I would love a reference to check against, in the spirit of leaving no stone unturned.

I have been all over MS TechNet and SQLPASS, and haven't found anything. Am I just missing it?



more ▼

asked Apr 08, 2010 at 11:17 AM in Default

avatar image

Chris 4
21 1 1 1

I posted this question on other boards and to other SQL-smart people I have encountered. One of them did pass back a link to a MS-authored security document:


I will pull information from all available resources, but I really like having something from the software vendor as a baseline.

Thanks to everyone that has responded so far...

Apr 09, 2010 at 09:43 AM Chris 4
(comments are locked)
10|1200 characters needed characters left

3 answers: sort voted first

A guide which was used by the operations guys at my last employer when hardening for PCI DSS can be found here. I'm not sure though if they did anything on top of what was mentioned in there in order to pass PCI, however.

more ▼

answered Apr 08, 2010 at 11:48 AM

avatar image

Matt Whitfield ♦♦
29.5k 62 66 88

Is this an excerpt from the book by Ross Mistry? I just read the whole chapter...thanks!

Apr 08, 2010 at 03:14 PM DaniSQL

@DaniSQL - yes it is...

Apr 09, 2010 at 05:40 AM Matt Whitfield ♦♦
(comments are locked)
10|1200 characters needed characters left

Google has a lot to give you: http://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=hardening+sql+server+2008
and then there is Books OnLine http://msdn.microsoft.com/en-us/library/ms130214.aspx
and SQLBits IV had a session on it that was recorded http://sqlbits.com/Agenda/event4/Securing_and_Hardening_a_SQL_Server_Implementation_-_Notes_from_the_Field/default.aspx
and a SQL Server security specialist is K Brian Kelly and his site http://www.truthsolutions.com/

Hopefully these will get you started and undoubtedly lead you to other sources and reference.

more ▼

answered Apr 08, 2010 at 11:49 AM

avatar image

Fatherjack ♦♦
43.8k 79 102 118

  • for the sqlbits link.

Apr 08, 2010 at 03:15 PM DaniSQL
(comments are locked)
10|1200 characters needed characters left

I am currently working with infrastructure team to becoming PCI compliant by JULY 2010.I started auditing by reading articles about SQL Server Security Audit from sql-performance.com. especially try to read the first three parter article on server, database and OS security. Document your findings and discuss with your team and management and then take ACTION!!

Although the majority of my servers are 2005, it may apply to 2008. Since your environment is sql 2008 I suggest you read about Policy based management and take advantage of it.

Please post here if you find a better resource while working on hardening sql server.

Hope this helps!

Good Luck!

more ▼

answered Apr 08, 2010 at 03:11 PM

avatar image

4.9k 33 39 43

(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.



asked: Apr 08, 2010 at 11:17 AM

Seen: 3877 times

Last Updated: Apr 08, 2010 at 11:17 AM

Copyright 2018 Redgate Software. Privacy Policy