hay thế tài khoản và giao thành viên nhóm quản trị viên). Hạn chế quyền người dùng, đặc quyền, và thành viên nhóm tài khoản chỉ có những gì họ cần để thực hiện các chức năng được thiết kế cho. Từ một góc độ SQL Server, giảm bề mặt tấn công đầu tiên lớp có nghĩa là loại bỏ | Defenses Against Stored Procedure Attacks 65 alternative account and assigned it administrator group membership . Limit the user rights privileges and group membership of accounts to only what they need to perform the function they are designed for. From an SQL Server perspective reducing the first-layer attack surface means removing any unnecessary accounts from the sysadmin server role and locking down the sa account. Assuming you chose Windows authentication mode during setup or have switched over to that mode since then your first step is to create a local account with a strong password within Windows and then add that account to the sysadmin role within the SQL Server security. Once this is done you would need to log in to Windows as that account and delete the local administrator account or group depending upon the version of SQL Server you are using from the sysadmin role. Locking down the sa account is also a multistep process you need to start by setting an extremely strong password then disabling the account. If you are running SQL 2005 Server or higher then you should also rename the sa account to something unique. ALTER LOGIN sa DISABLE ALTER LOGIN sa WITH NAME ZeroCool The ALTER LOGIN statements shown above will first disable the sa account and then rename it to ZeroCool. Leverage Microsoft Knowledge Microsoft deserves a lot of credit for providing in-depth technical documentation tools and recommendations at no charge to allow you to tighten up the security to the level you want. Microsoft s Threats and Countermeasures guide for Windows 20081 lists every security item that can be managed by group policy and includes information about the vulnerability countermeasures and potential impact of each particular setting. There are other earlier guides available but each guide is completely backwards compatible and includes information about what versions each setting is applicable to so there is no reason not to download the newest one. In addition to the .