Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL Datafile... How to protect ???? Expand / Collapse
Author
Message
Posted Saturday, December 29, 2007 2:32 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 15, 2008 11:41 PM
Points: 20, Visits: 17
SQL Experts,

Could you please share you expertise or the solution being found to reolved the issue below.

How can we protect SQL2k Datafiles (mdf) by putting some measures which will not allow anyone to attache or create a database using any MDFs on any instance of SQL Servers ?

At the moment I could see that MDF and LDFs can be takem from SQL Server machines by stopping the services and same can be attached any SQL instances running on other machines,.

I understant only OS admin can only stop SQL Services. I am not worrying about admin or users. looking for a solution to protect SQL Mdfs.

Please help..

Regar

Post #437314
Posted Saturday, December 29, 2007 2:55 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 3:07 PM
Points: 42,812, Visits: 35,931
Do you want to prevent people from attaching data files, or from copying data files off the machine?

For the first, don't give db_creator rights to anyone. Sysadmins can do in, no one else should (unless you really trust them)

For the second, ensure no one but the server admins have access to the physical machine. No shares, no login permissions, no file system access. Ensure than no one but the server admins and sysadmins have the rights to stop the SQL service

Plus very strong admin passwords.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #437317
Posted Saturday, December 29, 2007 3:23 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 15, 2008 11:41 PM
Points: 20, Visits: 17
Gail Shaw

I understand your point which is all in place !.

The issues here. We suspect Windows admins !!!. If they took the copy of SQL MDFs and send to any of our compititors they could easly attache our data to their SQL instances using "sa". This is what I want to prevent. How this can be done ?

This a security risk !!. DBA should have a solution I beleive since can not rely OS admins all the times. We need to protect the data leakage :)

Rgds/Ahmed
Post #437318
Posted Saturday, December 29, 2007 5:09 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 3:07 PM
Points: 42,812, Visits: 35,931
There's nothing you can really do to protect the server against the admins of that server. They have full control over the servers and possibly even the domain. Stealing your data file is the least of the damage they could do.

In SQL 2005 and 2008 you can encrypt part or all of the database, but even that may not be a complete defence against the server admins who may be able to get hold of encryption keys.

Do you have anything solid behind your suspicions? If so, take it to your information security people, or to management.

Basically, it comes down to this. If you don't trust them, why do they still have admin privileges?



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #437319
Posted Saturday, December 29, 2007 5:51 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 15, 2008 11:41 PM
Points: 20, Visits: 17
As I said earlier, we are not worrying about OS admin or users having OS admin roles. We do not want to blame any one in an organization on any data leakage.

The issues is here, why MS is allowing SQL users (sa & sever admin role users) to attach a MDFs to any SQL intances or MSDEs . Here is the issue. Rather than we looking into OS admins, as a DBA, we should have somethiong in place to protect the data file . Otherwise, I would say SQLk is not a secured database.


Hope MS will come up with somesort of protection in their future version to overcome this issue.

I believe you will agee with me on this issue :)

Rgds/
Post #437322
Posted Thursday, March 25, 2010 5:38 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, July 20, 2010 7:22 AM
Points: 1, Visits: 4
Hey go to MS-dowload center do find the DPM tool kit site and dowload the guide.
Post #889680
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse