Michael Paycer — SQL Server Security: authentication, network, and data protection
SQL Server Security · Part 1

Securing SQL Server: Authentication, Network, and the Data Itself

Database security isn't one setting — it's layers, each covering for the others. This first guide covers the three most environments can tighten today: who gets in, how they connect, and what protects the data once they're there.

Most SQL Server security problems aren't exotic. They're a login with far more rights than it needs, a connection traveling in clear text, or a table anyone with access can read top to bottom. You close most of the real risk by getting a few fundamentals right before reaching for the advanced features — so that's where this starts.

The same principle that drives good performance work applies here: diagnosis before prescription. Know what access exists and how data moves before you start hardening. You can't protect what you haven't mapped.

Authentication and role-based access — who gets in, and what they can do

Security starts at the door. Prefer Windows authentication or Microsoft Entra ID (in Azure SQL) over SQL Server logins wherever you can — it hands identity to a system already built to manage it, with lockout, expiry, and central control. Where SQL logins are unavoidable, enforce the password policy (CHECK_POLICY and CHECK_EXPIRATION), and disable or rename the built-in sa account rather than leaving a known target with a password on it.

Getting someone in the door is only half of it. The other half is role-based access built on least privilege — everyone gets exactly the rights their job needs, and nothing spare:

The test is simple: if a login were compromised tomorrow, how much could it touch? Least privilege is the difference between an incident and a catastrophe.

Network — narrowing the front door and encrypting the path

Once you've decided who gets in, control how they connect. Two things matter most here.

Force connection encryption (SSL/TLS). Data moving between the application and SQL Server should never travel in clear text. Install a valid certificate, force encryption at the instance, and require it on the client side too — Encrypt=true with TrustServerCertificate=false, so clients actually validate the certificate instead of trusting anything that answers. Standardize on TLS 1.2 or 1.3 and disable the legacy protocols at the OS. (SQL Server 2022 adds strict encryption over TDS 8.0 for an even stronger posture.) If you run Availability Groups, mirroring, or replication, remember those endpoints are encrypted separately — don't leave them behind.

Shrink the network surface. The instance shouldn't be reachable from anywhere it doesn't need to be:

In-database protection — guarding the data once someone's inside

Authentication and network controls keep the wrong people out. But not everyone with legitimate access should see everything, and that's what in-database protection is for — controlling exposure at the row, column, and data level.

Together these move protection closer to the data itself, so a broad grant or an over-curious user doesn't automatically mean full exposure. For the strongest column-level protection — hiding data even from the DBA — see encryption at rest in part three.

Continue the series: Part 2 — Auditing and Threat Detection →  ·  Part 3 — Encryption at Rest →

If you'd rather have a senior DBA review and harden your environment, that's what I do. See SQL Server DBA services, review real client results, or get in touch.


References