Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL Datafile... How to protect ????


SQL Datafile... How to protect ????

Author
Message
aj-156165
aj-156165
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 17
SQL Experts,

Could you please share you expertise or the solution being found to reolved the issue below.

How can we protect SQL2k Datafiles (mdf) by putting some measures which will not allow anyone to attache or create a database using any MDFs on any instance of SQL Servers ?

At the moment I could see that MDF and LDFs can be takem from SQL Server machines by stopping the services and same can be attached any SQL instances running on other machines,.

I understant only OS admin can only stop SQL Services. I am not worrying about admin or users. looking for a solution to protect SQL Mdfs.

Please help..

Regar
GilaMonster
GilaMonster
SSC-Forever
SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)

Group: General Forum Members
Points: 47145 Visits: 44346
Do you want to prevent people from attaching data files, or from copying data files off the machine?

For the first, don't give db_creator rights to anyone. Sysadmins can do in, no one else should (unless you really trust them)

For the second, ensure no one but the server admins have access to the physical machine. No shares, no login permissions, no file system access. Ensure than no one but the server admins and sysadmins have the rights to stop the SQL service

Plus very strong admin passwords.


Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


aj-156165
aj-156165
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 17
Gail Shaw

I understand your point which is all in place !.

The issues here. We suspect Windows admins !!!. If they took the copy of SQL MDFs and send to any of our compititors they could easly attache our data to their SQL instances using "sa". This is what I want to prevent. How this can be done ?

This a security risk !!. DBA should have a solution I beleive since can not rely OS admins all the times. We need to protect the data leakage Smile

Rgds/Ahmed
GilaMonster
GilaMonster
SSC-Forever
SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)

Group: General Forum Members
Points: 47145 Visits: 44346
There's nothing you can really do to protect the server against the admins of that server. They have full control over the servers and possibly even the domain. Stealing your data file is the least of the damage they could do.

In SQL 2005 and 2008 you can encrypt part or all of the database, but even that may not be a complete defence against the server admins who may be able to get hold of encryption keys.

Do you have anything solid behind your suspicions? If so, take it to your information security people, or to management.

Basically, it comes down to this. If you don't trust them, why do they still have admin privileges?


Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


aj-156165
aj-156165
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 17
As I said earlier, we are not worrying about OS admin or users having OS admin roles. We do not want to blame any one in an organization on any data leakage.

The issues is here, why MS is allowing SQL users (sa & sever admin role users) to attach a MDFs to any SQL intances or MSDEs . Here is the issue. Rather than we looking into OS admins, as a DBA, we should have somethiong in place to protect the data file . Otherwise, I would say SQLk is not a secured database.


Hope MS will come up with somesort of protection in their future version to overcome this issue.

I believe you will agee with me on this issue Smile

Rgds/
AwigIT
AwigIT
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 4
Hey go to MS-dowload center do find the DPM tool kit site and dowload the guide.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search