Eitan Blumin has some myths for us:
Many organizations assume that their SQL Server is secure because it is behind a firewall. However, firewalls only block traffic to specified ports and protocols, and they do not protect against attacks that come through allowed traffic. Therefore, it’s important to secure SQL Server at a more granular level.
Furthermore, even if your SQL Server is not connected to the internet, it can still be hacked through internal attacks or by using compromised devices that connect to your network… If at least one privileged user can connect to the SQL Server, that means a malicious attacker potentially could do the same.
My one quibble is that number 5 isn’t a myth. I accept the importance of performing auditing, and people I know who have insane transactional throughput requirements still perform auditing, but there certainly is a performance effect. Otherwise, definitely worth the read.
Perhaps number 5 should’ve been written a bit differently. The myth should’ve been that BECAUSE there is performance impact that means it’s reason NOT TO AUDIT.