November 15, 2002 at 5:56 pm
Why do .MDF files open in notepad? (when the server is stopped of course)
Isn't this a big security risk?
November 15, 2002 at 6:08 pm
Its just what they are asociated with. Mine ask me what to oprn with.
Simon Sabin
Co-author of SQL Server 2000 XML Distilled
http://www.amazon.co.uk/exec/obidos/ASIN/1904347088
Simon Sabin
SQL Server MVP
http://sqlblogcasts.com/blogs/simons
November 15, 2002 at 6:33 pm
thats not what I meant.
I am concerned about it being able to opened in notepad and data being visable.
Seems like a risk.
November 16, 2002 at 10:56 am
does anyone else consider this a risk?
shouldn't .MDF's only be allowed to be opened by SQL Server?
November 16, 2002 at 11:11 am
Has nothing to do with the extension. You can open anyfile in notepad no matter the extension. However I believe you concern is the fact the data is not encrypted against casual view. Keep first in mind when SQL Server has the file open it is locked. Also, encrypting a file too much will require higher CPU and memory overheads impeeding overall performance. However, if you normalize a database properly (to the extent performance doesn't wain), then casual viewing will see bits here and there but nothing that can be a major detrement. Also, people who store extremely private data such as Credit Cards and Social Security numbers in an unencrypted format are breaking many of the rules anyway for a secure site with any db server. Consider I can take your mdf file and attach to any SQL Server out ther. This is just as big a security risk as notepad, and actually more so since I can now see the structure and format. The security is the admins responsibility to make sure noone can get to the data on yuor server other than the direct prescribed path setup by the Admin.
November 16, 2002 at 2:23 pm
If you're concerned about users other than the SQL Server sevice account seeing the database files, you have a solution under Windows 2000:
(1) Log on to the server as the SQL Server account (you can't run as localsystem).
(2) Stop the SQL Server service.
(3) Right-click on the database files in question, one at a time and view the properties.
(4) From the General tab, click the Advanced button.
(5) Choose to Encrypt contents to secure data and click OK.
(6) Click OK to accept the changes to the properties.
(7) Restart the SQL Server service.
Before you go and apply EFS, you'll want to read up on what's required to get the file back if you lose the user account, etc. Make sure you have this covered beforehand.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
November 16, 2002 at 3:54 pm
Ya I am well aware of encryption.
My point is, having the file opened with notepad is one thing, but being able to view actual data is a completely different thing. This should not be readable like this. I know the data is not put together very well in notepad, but some of it is readable.
November 16, 2002 at 5:16 pm
This is something that happens generally to most any application. In the late 80's and early 90's, "pirates" armed with a hex editor were breaking copy protection on commercial programs that depended on passwords and combination codes because they'd scour the code for a match and as soon they found it they'd edit the applications to bypass the copy protection.
This was especially true of the games that came out during that time that had the code wheels. Usually these code wheels would require you to line up several items and you'd get a code which you'd enter to start up the program. Since programs like CopyIIPC were effective at bypassing any disk copy protection, these methods were developed. However, software pirates proved so adept at cracking these other methods that I think most game manufacturers threw in the towel.
Even in recent days I know Diablo II had a copy protection scheme that looked for a bad spot on the CD (you had to insert the CD to be able to play). Someone cracked that without too much effort but you couldn't pla on-line at Blizzard. Then someone cracked it for good. Bottom-line is people will spend days or weeks to bypass the copy protection when they could pay for the game with just a few hours of work. If you're a software company, how can you win?
SQL Server isn't natively doing anything to encrypt the data. As a result, it only makes sense that some of the data would be visible in plaintext. It uses the mechanisms in the OS to keep the data secure if you need it.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
November 16, 2002 at 5:39 pm
I do agree it is a security risk but if a person can get to the file your security is an issue. Most likely the average person won't even know about the notepad thing. Generally those who do thou, know that once they have the file they can attach it for viewing to a 120 eval copy of SQL 7 or 2000 in a much better format. I do understand the concern but if the file is able to be reached there are thousands of ways to view it, you need to always keep it secure if there is secure information.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply