Security of the database

  • Lot of issues of security have been discussed in the past. But a trivial problem of security baffles me.

    It is possible for anybody to copy the mdf and ldf files of a database, copy it on another machine and have complete access over it, if he has admin rights. How is it possible to overcome this security problem.

    What I need is once the database is created with a user on a particular machine, the access must be restricted to that user only and not even to sa. Is this kind of security possible in SQL Server 2000

  • It is possible for anybody to copy the mdf and ldf files of a database, copy it on another machine and have complete access over it

    If users have access to the server such that they can shut SQL down and copy the database files off, then you have a far bigger problem than database security.

    How to overcome it is simple. Secure the server. Ensure that only those who need access to the server (probably just the server admins) have access.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Let me point out the problem from a different angle.

    I have developed an application using SQL Server 2000 as the backend. When I implement the same at a client's location, he has complete access to the database. What I want to achieve is that, the database can only be accessed from my application with only my password. The client would have admin access to the server, but he is not supposed to touch the database directly.

  • Remove builtin\Administrators from the sysadmin role. Make sure that you have another admin account before you do that. Make sure that the sa login has a strong password.

    It won't stop him from copying the data files off, but there's no way to stop a system administrator from doing that. Speak to the client's system administrators about securing the server.

    That's about the best you can do if you don't have control over the infrastructure and the server.

     

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • What's so precious about your data that you don't want the user (i.e. the owner) to access it through anything but you interface?  I wouldn't buy a software product if I couldn't have access to the data directly.

    Steve B.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply