Re: SQL 2005 express security issue

Which statement I told to my security officer is more likely to pass the risk assessment?

- Using SQL Express, I cannot control user to attached the database to their own machine, and login as 'sa' to view everything.
- Using Access, I can set password to control user view the database directly, but some tools are available to crack the password.


"Ekrem Onsoy" <ekrem@xxxxxxxxxxxx> 在郵件 news:A405CA70-3D3D-4F89-9706-42621F812E45@xxxxxxxxxxxxx 中撰寫...
Personally I cracked MDB files' passwords many times. There are lots of softwares which perform this job decently and easily in one second.

--
Ekrem Onsoy



"stm" <stm@xxxxxxx> wrote in message news:ehzwxRMaIHA.3828@xxxxxxxxxxxxxxxxxxxxxxx
yes, they will get a copy of the mdf file......it is included in the distribution of my application.
It is a local standalone application, no network connection required.

Using Access, I can set password to MDB, although some said it is easy to crack.


"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> 在郵件 news:%233L5VsBaIHA.5900@xxxxxxxxxxxxxxxxxxxx 中撰寫...
stm wrote on Wed, 6 Feb 2008 00:19:17 +0800:

but anyone can install his own SQL Express in their own machine, and
view anything.......

Only if they then get hold of the MDF and LDF files and attach them to their instance of SQL Server - if you allow access to the underlying files then you're at risk no matter what software you use. If they just install SQL Express on their own machine and then connect to a different server where your data lies they'd need to have the sa password on the remote server - they can't just connect using the local sa login and then pull it across.

If you're really concerned about restricting access to the data, then look into using the built-in encryption features - using these would also require the person who gets the MDF and LDF files to also gain access to the certificate used to encrypt/decrypt the data, and that is likely going to be much harder.

--
Dan




.

Relevant Pages

  • Re: CREATE AGGREGATE failed because type Concatenate does not conform to UDAGG specification due to
    ... Go to the Database tab and click on the browse button next to the connection string. ... In the New Database Reference dialog, enter the details for the database where you want to deploy the assembly and create the user defined aggregate. ... I'm trying to do some CLR integration with sql server 2005. ...
    (microsoft.public.sqlserver.programming)
  • CREATE AGGREGATE failed because type Concatenate does not conform to UDAGG specification due to meth
    ... Now register the assembly and the aggregate in the SQL Server database you want ... I'm trying to do some CLR integration with sql server 2005. ...
    (microsoft.public.sqlserver.programming)
  • Re: dbdebunk Quote of Week comment
    ... > a lot of really bad SQL programmers. ... But SQL does not have a pointer data type or the ... > being told to design a database. ... But why is little Cindy Lou Who employee ...
    (comp.databases.theory)
  • Re: DBMS and lisp, etc.
    ... Naively implemented with SQL, again for 10 ... (1 query for the initial orders, 1 query for each order for its ... soon as you upgrade to the SQL database. ... (eq (order-customer orderA) ...
    (comp.lang.lisp)
  • Re: dbdebunk Quote of Week comment
    ... > a lot of really bad SQL programmers. ... a surrogate key should support the primary key. ... But SQL does not have a pointer data type or the ... > being told to design a database. ...
    (comp.databases.theory)