Security Issue - Viewing sql 2000 backups in Word
-
As part of a security audit, one of my company's security staff opened up a SQL 2000 backup in MS Word. (He did not know the source of the file and therefore randomly opened the backup in word). While most of the data in Word was unreadable, there was some readable text. The interesting part of this is that the text was not from any data that was in the database that was backed up. It was data from other databases on the same server that were not part of the backup. In this case, the backup was for a db that had non sensitive data but much of the text that could be read through Word was sensitive.
Has anybody else encountered this issue before? I could not find any info on it but that is understandable because most DBA's would not think of trying to open a backup in Word. If this is a common problem, however, then it could be a huge security breech.
-
The ability to view text data in a database backup is nothing new. SQL 2005 now incorporates data encryption that can secure the data. For SQL 2000, most of the third party backup utilities that are available provide some sort of encryption capability.
Is this a backup device that is reused by multiple database backups. If so, then backing up a database to the device without doing an INIT will preserve previous backups within the same file.
--------------------
Colt 45 - the original point and click interface
-
Thanks for replying Phil.
This backup contained only one database. When you restore the backup, only this one database is restored and none of the data from the other database is in the restored database.
We are currently pursuing this through Microsoft.
-
How is it that a casual user has been allowed access to backups? That, in itself, would be a violation on PCI audits...
--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
Database backed up by DBO for that database. Database backed up was schema only and was being emailed to a developer. Email scan picked up on sensitive data.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply