December 29, 2007 at 2:32 am
SQL Experts,
Could you please share you expertise or the solution being found to reolved the issue below.
How can we protect SQL2k Datafiles (mdf) by putting some measures which will not allow anyone to attache or create a database using any MDFs on any instance of SQL Servers ?
At the moment I could see that MDF and LDFs can be takem from SQL Server machines by stopping the services and same can be attached any SQL instances running on other machines,.
I understant only OS admin can only stop SQL Services. I am not worrying about admin or users. looking for a solution to protect SQL Mdfs.
Please help..
Regar
December 29, 2007 at 2:55 am
Do you want to prevent people from attaching data files, or from copying data files off the machine?
For the first, don't give db_creator rights to anyone. Sysadmins can do in, no one else should (unless you really trust them)
For the second, ensure no one but the server admins have access to the physical machine. No shares, no login permissions, no file system access. Ensure than no one but the server admins and sysadmins have the rights to stop the SQL service
Plus very strong admin passwords.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
December 29, 2007 at 3:23 am
Gail Shaw
I understand your point which is all in place !.
The issues here. We suspect Windows admins !!!. If they took the copy of SQL MDFs and send to any of our compititors they could easly attache our data to their SQL instances using "sa". This is what I want to prevent. How this can be done ?
This a security risk !!. DBA should have a solution I beleive since can not rely OS admins all the times. We need to protect the data leakage 🙂
Rgds/Ahmed
December 29, 2007 at 5:09 am
There's nothing you can really do to protect the server against the admins of that server. They have full control over the servers and possibly even the domain. Stealing your data file is the least of the damage they could do.
In SQL 2005 and 2008 you can encrypt part or all of the database, but even that may not be a complete defence against the server admins who may be able to get hold of encryption keys.
Do you have anything solid behind your suspicions? If so, take it to your information security people, or to management.
Basically, it comes down to this. If you don't trust them, why do they still have admin privileges?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
December 29, 2007 at 5:51 am
As I said earlier, we are not worrying about OS admin or users having OS admin roles. We do not want to blame any one in an organization on any data leakage.
The issues is here, why MS is allowing SQL users (sa & sever admin role users) to attach a MDFs to any SQL intances or MSDEs . Here is the issue. Rather than we looking into OS admins, as a DBA, we should have somethiong in place to protect the data file . Otherwise, I would say SQLk is not a secured database.
Hope MS will come up with somesort of protection in their future version to overcome this issue.
I believe you will agee with me on this issue 🙂
Rgds/
March 25, 2010 at 5:38 am
Hey go to MS-dowload center do find the DPM tool kit site and dowload the guide.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply