Re: SQL 2005 express security issue
- From: "Ekrem Onsoy" <ekrem@xxxxxxxxxxxx>
- Date: Thu, 14 Feb 2008 10:43:45 +0200
Take a look at BOL:
http://msdn2.microsoft.com/en-us/library/ms189586.aspx
--
Ekrem Onsoy
"stm" <stm@xxxxxxx> wrote in message news:%23we$4vKbIHA.5128@xxxxxxxxxxxxxxxxxxxxxxx
Do you know more about encryption in SQL Express.
"Ekrem Onsoy" <ekrem@xxxxxxxxxxxx> 在郵件 news:BD29CAF2-A76B-494E-9858-826E2E103E0B@xxxxxxxxxxxxx 中撰寫...I see your situation better now and it looks like your best bet is encryption.
--
Ekrem Onsoy
"stm" <stm@xxxxxxx> wrote in message news:em9xhHAbIHA.4880@xxxxxxxxxxxxxxxxxxxxxxxI know/understand everything you mention, it is an ideal case, but not suitable to mine, or just I use SQL Express incorrectly??
The problem is that, as I stated before, my application is standalone, run on client machine, no network connection, no domain, no AD, etc required.
I can't use Windows authentication because I can't control account creation in client machine, and which account they use.
I can't control user attached to my database because it is his own machine, I can't set any file permission, so the last security measure is to use SQL authentication to protect my data.
Until I know that any user can install his own copy of SQL Express, and use 'sa' to attached to the mdf (at least in my case), nothing can be protected.
"Ekrem Onsoy" <ekrem@xxxxxxxxxxxx> 在郵件 news:76CC4F79-A168-42AA-B4AA-6DB6F6549BC7@xxxxxxxxxxxxx 中撰寫...As far as I can see the posts under your question you focused on the "sa" account and protecting your database. But it's not the start point. First, you should protect your OS because your SQL Server runs under the OS. If you can keep your Windows and Domain accounts under your control then nobody can reach to your database files. Then stealing a database by detaching it would not be a security risk anymore. If you can't control your Windows user accounts then you'd not be able to protect only your databases but anything in your environment.
You do not have to use the "sa" account (if your application does not enforce you) and it's not recommended using this account because every hacker knows that SQL Server has a built-in sysadmin account which is called "sa". So, creating another account with sysadmin rights would be the right choice. Disable your "sa" account if you don't have to use it.
SQL Server is a powerful product and much better than Access's password protection. You should just read more about it, then you'll see the light.
--
Ekrem Onsoy
"stm" <stm@xxxxxxx> wrote in message news:Ojl$XBnaIHA.4196@xxxxxxxxxxxxxxxxxxxxxxxWhich statement I told to my security officer is more likely to pass the risk assessment?
- Using SQL Express, I cannot control user to attached the database to their own machine, and login as 'sa' to view everything.
- Using Access, I can set password to control user view the database directly, but some tools are available to crack the password.
"Ekrem Onsoy" <ekrem@xxxxxxxxxxxx> 在郵件 news:A405CA70-3D3D-4F89-9706-42621F812E45@xxxxxxxxxxxxx 中撰寫...Personally I cracked MDB files' passwords many times. There are lots of softwares which perform this job decently and easily in one second.
--
Ekrem Onsoy
"stm" <stm@xxxxxxx> wrote in message news:ehzwxRMaIHA.3828@xxxxxxxxxxxxxxxxxxxxxxxyes, they will get a copy of the mdf file......it is included in the distribution of my application.
It is a local standalone application, no network connection required.
Using Access, I can set password to MDB, although some said it is easy to crack.
"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> 在郵件 news:%233L5VsBaIHA.5900@xxxxxxxxxxxxxxxxxxxx 中撰寫...stm wrote on Wed, 6 Feb 2008 00:19:17 +0800:
but anyone can install his own SQL Express in their own machine, and
view anything.......
Only if they then get hold of the MDF and LDF files and attach them to their instance of SQL Server - if you allow access to the underlying files then you're at risk no matter what software you use. If they just install SQL Express on their own machine and then connect to a different server where your data lies they'd need to have the sa password on the remote server - they can't just connect using the local sa login and then pull it across.
If you're really concerned about restricting access to the data, then look into using the built-in encryption features - using these would also require the person who gets the MDF and LDF files to also gain access to the certificate used to encrypt/decrypt the data, and that is likely going to be much harder.
--
Dan
.
- References:
- SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Russell Fields
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Russell Fields
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Daniel Crichton
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Daniel Crichton
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Ekrem Onsoy
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Ekrem Onsoy
- Re: SQL 2005 express security issue
- From: stm
- Re: SQL 2005 express security issue
- From: Ekrem Onsoy
- Re: SQL 2005 express security issue
- From: stm
- SQL 2005 express security issue
- Prev by Date: Re: Can see deleted data in MDF & Backup
- Next by Date: Re: Can see deleted data in MDF & Backup
- Previous by thread: Re: SQL 2005 express security issue
- Next by thread: Re: SQL 2005 express security issue
- Index(es):
Relevant Pages
|
