Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

How to Hide/Encrypt/Password a Table Expand / Collapse
Author
Message
Posted Thursday, September 26, 2013 12:07 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Saturday, September 13, 2014 8:39 AM
Points: 10, Visits: 31
I have some sensitive, Executive payroll tables that I would like to restrict access to, including from the System Administrator. I can't restrict by User Groups because the SA could add himself to the Group and gain access. Is there a way to password protect or encrypt or hide or explicitly use DENY to these tables to keep the SA, and any other unauthorized users, from seeing the data? I have security in the application, but I need a way to keep users from connecting to the server and accessing these tables with Crystal Reports, Excel, etc.
Post #1498992
Posted Thursday, September 26, 2013 12:31 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:11 PM
Points: 31,368, Visits: 15,837
Only if you can change the code that accesses the tables. If you can control the code, and have users enter a password, you can use symmetric/asymmetric encryption to secure this data and prevent sysadmins from viewing the data.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1499008
Posted Thursday, September 26, 2013 12:54 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 1:14 PM
Points: 40,615, Visits: 37,081
Passwords should not be stored encrypted, they should be stored hashed. One-way cryptographic hash. There is no need to ever unencrypt a password. Hash whatever is entered and compare, don't decrypt what is stored and compare.

Of course, that requires changing the code that checks the passwords and the table design. If you can't do both, there's little to nothing you can effectively do.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1499020
Posted Thursday, September 26, 2013 1:07 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Saturday, September 13, 2014 8:39 AM
Points: 10, Visits: 31
Thanks for the responses. Yes, as the Developer, I can control the code. With this in mind, do you have any other suggestions? I would like to be able to do this to the entire table, not just selected columns. Does that make a difference in your thoughts?
Post #1499030
Posted Thursday, September 26, 2013 1:20 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:11 PM
Points: 31,368, Visits: 15,837
First, encrypting the entire table means that access is going to be slow since you have to decrypt. Indexing doesn't help, and that can be an issue. If you always perform access for just a row or two and the table isn't large, then that's fine. However, I'm not sure why you'd encrypt key columns. Usually you want to encrypt the data only that's sensitive.

The password can't ever be stored anywhere in the database or it can be compromised by the sysadmin. That's why I say this has to be controlled from the front end. You'd set this up, have the user enter a password, encrypt the data and then send it on the wire.

You could use temp keys in SQL Server as well. This isn't simple, but it's not too hard either.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1499038
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse