This book describes how to secure Structured Query Language (SQL) Server applications in a networked Microsoft Windows environment. It covers three different versions of SQL Server (versions 6.5, 7.0, and 2000), and discusses these in the contexts of Windows NT or Windows 2000, using clients that are running Windows 9x, Windows NT, Windows 2000, and, to some extent, Windows XP. As the reader might understand, these are complex environments, so the book is not easy reading.
The author does a fairly good job of subdividing the book, so most readers will not need to read the entire text. There are specific chapters dedicated to unique situations, based on the version of SQL Server you are using.
Given that most applications will not be running on a single machine, the network is a key part of the system, and must be as secure as the database and the machines it runs on. The author describes, in considerable detail, certain activities (specifically login) that pass through the network, and the potential security data that can be easily seen by others as a result. Lewis is very polite; at no point does he come out and say “and these exposures are so great that, in reality, there’s no point in any further security efforts,” but he does tell the reader what risks the user is exposed to, in very clear terms. (I did form some editorial opinions here; if I were writing the book, the text might just have said “don’t bother trying to secure” some of the configurations mentioned.)
There is an entire chapter on designing security for applications. Unfortunately, most application designers will not read a book that talks about server security, and would rather build all the security into the application (ignoring the fact that, if the database is not otherwise secured, direct SQL calls outside the application will do considerable damage to the application’s efforts). There is a need for a book that talks about application security (for SQL Server applications) from the designer’s point of view, and then introduces the SQL Server capabilities after the fact, rather than at first. That doesn’t diminish the value of this book, but suggests that, with some editorial rearrangement, a wider audience might find the book to be of value.
Although it is difficult to read, this book is a very valuable reference tool, and the contents are important to Windows server managers, and database administrators, working with SQL Server.
