May 28, 2010 at 6:36 am
Hi,
I am implementing a system at a site where there are 3 other developers. 2 of them have been trying to convince my customer to throw out my app for one they are developing. They are in cahoots with the Network Administrator (Windows Administrator Account). These developers have been coming in at odd hours and opening up my database. I've managed to get a copy of their database format and LO AND BEHOLD, it is my database format exactly! I am considering revising some of the inefficient routines so as to offer the client something new (which they will not have in their version) thereby keeping the client with me and rendering their activities useless. This requires that I prevent the Network Administrator from even seeing my database. If i can lock access to the database with a password like it is in MySQL or ORACLE it would be OK, but SQL Server 2005 does not seem to have such functionality! The Network Administrator is a close relative of the owner and the owner does not seem to want to sanction his activities. What can I do?
May 28, 2010 at 8:20 am
This situation seems strange, do you all work for the same company?
I would first look for a non-technical solution to this problem involving meeting with the customers and the other developers and explaing the isssues
Locking the admin out of the database server can be difficult and sometimes dangerous in a disaster situation,
Have you considered another approach? you could create a virtual server for your dev work and shut this down each night to prevent access or you could consider dettaching the database at the end of the day and then storing the mdf files in a encrypted folder that no one will be able to access
May 28, 2010 at 8:24 am
Are you using Windows Authentication or Mixed mode (SQL Server and Windows Authentication)?
May 28, 2010 at 8:37 am
No I do not work for the same company. I am a supplier of an app which uses an SQL Server database. The other developers initially came in to do completely different work, which they still have not finished doing. I finished my project about 8 months ago and I only get called in to introduce improvements to things like Business Intelligence reports etc. It is during one of my visits there that I found out what was happening. The owner of the company is out of the country and cannot be reached on phone. I have emailed him and the response is that he will deal with the matter once he gets back (3 weeks from today). I have been working on improvements and i would like to protect my improvements so as to distinguish my work from theirs. If they still have access to the database, they will just copy the improvements and present them as their own! In this manner, I may be edged out by the Network Administrator on very flimsy grounds. If however, I can prevent access to the database, I can introduce my improvements, and when the owner gets back, my solution will stand out head and shoulders above theirs.
May 28, 2010 at 8:39 am
the bad news: anyone with sysadmin privileges cannot be prevented from reviewing your database, and even if you disabled Windows logins, since he has physical control, he could add himself right back, you'd just annoy him.
if the bulk of your business logic is in stored procedures, and you are afraid they are stealing your work product, you could start moving some of that logic into the executable and dll's that comprise your application. Then the database is just the storage center for the data used by the application.
a copy of your database could just be for testing purposes, and not necessarily nefarious reverse engineering. don't you have a contract stating they are not permitted to alter your database/reverse engineer your application?
Lowell
May 28, 2010 at 8:39 am
The SQL Server installation has been set up to use Mixed mode because the other developers' applications cannot use OLEDB. To answer the questions, it is Mixed Mode
May 28, 2010 at 8:47 am
I do. I have threatened all manner of consequences on the Network Administrator and his motley crew, but the cost of taking the matter to court is more that I am willing to pay (It exceeds my fees for the work by about 3 times). I would have to work on 3 separate improvements of the magnitude I am working on now to pay the lawyer and oil the process of restraining them. This is why I am looking for a way of preventing them from accessing my database.
May 28, 2010 at 8:57 am
Lowell, initially, all my stored procedures were in the executable. However, when the activity in the database increased to millions of transactions, i had to move them to the database so as to prevent timeout and other heavy processing errors from occurring.
I have received another suggestion though. To encrypt all views, stored procedures and functions so that they are not accessible. Is there a free download that they can use to decrypt my encrypted objects? Anyway, I'll use encryption if for nothing else, to slow them down.
Anyone know how to encrypt all objects in a database using as few commands as possible?
May 28, 2010 at 9:00 am
I would then look at your contract you have with the customer and if legally appliable look at getting a lawyer to issue a letter to the other development company.
However this could be an expensive route to take and could also alienate your customer, so you will have to weigh up the costs and benefits of this approach.
Also for future client work you should look at encapsulating some of the logic in DLLs as mentioned
May 28, 2010 at 9:04 am
CREATE PROCEDURE WHATEVER WITH ENCRYPTION.....
but encryption only goes so far....SQL has to be able to decrypt it to use it, right? you can make it harder on them, but it will not stop them if they are dedicated enough to reverse engineer and clone your code.
by logging in using the Dedicated Access Connection, you can decrypt/see everything decrypted anyway. so physical control once again beats anything you put to slow em down.
Lowell
May 28, 2010 at 9:16 am
Thanks y'all, I'll start with encryption, then progressively transfer business logic to DLLs. I hope the speed will still be acceptable (many transactions).
If you know a way to encrypt multiple objects without having to do them on object at a time, please hola back.
May 28, 2010 at 9:29 am
Use a cursor to encrypt things, but if these people are copying your code, they could probably decrypt them quickly.
What you are doing with the lawyer is right, but I might also serve the company a letter from a lawyer as well since their network admin is allowing this. Attacking both groups, maybe even serving them individually, might stop things.
The other thing you can do is work on improvements, demonstrate them, but then remove them from the system when you leave. Users will likely throw some pressure on the admins as well if they are preventing things from happening.
May 28, 2010 at 9:34 am
Some sample routine code?
May 28, 2010 at 9:42 am
In the other thread.
http://www.sqlservercentral.com/Forums/Topic929745-359-1.aspx
Viewing 14 posts - 1 through 14 (of 14 total)
You must be logged in to reply to this topic. Login to reply