March 18, 2008 at 4:25 am
I deployed an application and i will send it to a client But i want to make the mdf files secure for didn't opened by the sql server which installed in the client [prevent the dba db0 administrator any account to open my mdf file database and see its data]
Sorry i`m just a programmer and haven't any experience about administration and security of sql server So please kindly give me the steps for that or give me an article link for this issue.
I do that because i have a lot of users to treat with this database so i wanna prevent some to see some data so if the unauthorized client have administrator permissions for sql server i want to prevent him to open the mdf file by sql to see the data ,
Finally i want to prevent all users to open the mdf file itself out of the application:)
:)Thank you for your patient and very thankful for help..
YoU CaN't LoSe WhAt YoU NeVeR HaD;)
March 18, 2008 at 9:57 am
If you are not a DBA, it is out of your control. But you can ask your DBA to set the security.
If my understanding is correct, you would not like your users to know the database structure. You may consider to use stored procedures and views to hide the detail of your database.
March 18, 2008 at 10:06 am
You aren't going to be able to lock out an individual with system adaministration privledges in SQL Server. This privledge grants access to all databases and their objects. This is why a DBA has to be a trusted individual. If not, they shouldn't be the DBA.
😎
March 18, 2008 at 10:36 am
Even if they didn't have permission before attaching the file - once the sysadmin attaches the database, they can change the owner to be whoever they wish.
So - the only way to keep them from opening a file is to prevent them from having access to the server it's on, and prevent them from having physical access to any detached/backed up copy of the database.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
March 18, 2008 at 10:52 am
Hello guys i didn`t ask to answer me that is not your resposibility, i kmow that but it is my application and i havn't a DBA so i order help at all thank for try replaying...:):)
YoU CaN't LoSe WhAt YoU NeVeR HaD;)
March 18, 2008 at 11:32 am
Okay, I am confused, but I would have sworn you asked for help in locking out the DBA at client sites from your application database and from outside your application. Your original post:
I deployed an application and i will send it to a client But i want to make the mdf files secure for didn't opened by the sql server which installed in the client [prevent the dba db0 administrator any account to open my mdf file database and see its data]
Sorry i`m just a programmer and haven't any experience about administration and security of sql server So please kindly give me the steps for that or give me an article link for this issue.
I do that because i have a lot of users to treat with this database so i wanna prevent some to see some data so if the unauthorized client have administrator permissions for sql server i want to prevent him to open the mdf file by sql to see the data ,
Finally i want to prevent all users to open the mdf file itself out of the application
Thank you for your patient and very thankful for help..
We replied to you, that you can't lock out an individual or group that has system administration privledges in SQL Server. haat isn't what you were asking for??
:unsure:
March 18, 2008 at 11:40 am
If, what you really mean, is that you don't want anyone to be able to "steal" your code, then you must check all of your code into some safe place so you have an unencrypted copy and then create each stored procedure, view, UDF, etc, etc, "With Encryption". But, even then, there's about ten thousand ways to break this simple encrption posted on the internet.
--Jeff Moden
Change is inevitable... Change for the better is not.
March 18, 2008 at 11:46 am
The WITH ENCRYPTION is a misnomer anyway - since you're giving the system an automated way to decrypt the data. The "door being opened" is so wide that the only part of the equation where it "acts" encrypted is for the human beholder, so it's better defined as OBFUSCATION and not encryption. I guess it's encrypted if someone stole a copy of the database without the master certificates - but if it's attached and functional - encryption it isn't.
Never minding the name - Jeff's right - there are lots of ways to "break" the encryption.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
March 18, 2008 at 2:39 pm
Thank you all for replaying briefly i want to prevent the client to treat with the mdf file and see its data and DB structure like access as close Shift and make passwords for forms and all these old things ,I know that is no application have perfect security but we just do what we have to do...:)
Hesham Elmasry
YoU CaN't LoSe WhAt YoU NeVeR HaD;)
March 18, 2008 at 2:48 pm
Using a SQL Server backend for your application, any individual or group with system administration privledgs is going to be aboe to see your database structure and the data stored in the database. I don't see any way around that except to not give your clients sys admin rights to SQL Server, and I don't know how well that would fly with your clients.
😎
March 18, 2008 at 3:59 pm
I think SQL Oracle had your answer early on in that you set the client up so the only access they gave is via the app, and their only permissions within the database are via say an application role or exec stored procedures.
If you want to stop people accessing your .mdf file directly as a file put it in its own directory as set up permissions on directory so only sql server service account can access it
Somewhere along the line you gotta trust someone (i.e. the DBA)
---------------------------------------------------------------------
March 18, 2008 at 4:05 pm
Also, remove builtin\administrators group from SQL (after setting up alternative group with sysadmin to run sql under.)
but a local admin with a bit of knowledge could get round that................
---------------------------------------------------------------------
March 19, 2008 at 3:38 am
and what will happen if he have its own sql server wich has admin login and attach my mdf file??????????????
YoU CaN't LoSe WhAt YoU NeVeR HaD;)
March 19, 2008 at 12:08 pm
SQL Server databases aren't like Access databases. The .mdf and .ldf files have to be connected to an instance of SQL Server database engine. Given that, anyone with system administration privledges to that instance will have access to your database, the objects and data contained within. Unless you lock out the customer from having system administration rights the SQL instance, you can't keep everyone out.
This is why the DBA needs to be a highly trusted individual. The one, or hopefully two, who fill this position should be the ones with system administration privledges to the SQL Server instance.
😎
March 19, 2008 at 12:16 pm
lovestorya1 (3/19/2008)
and what will happen if he have its own sql server wich has admin login and attach my mdf file??????????????
Then he can change permissions to whatever he wants....
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Viewing 15 posts - 1 through 15 (of 19 total)
You must be logged in to reply to this topic. Login to reply