how to secure a sql 2005 database?

02/11/2006, 22h01

Hi,
I was wondering if there is a way to secure a sql 2005 database.
i want to distribute an app and would prefer that any customers not be
able to get into the database and make changes to structures, or
basically steal the database design, especially if i distribute a trial
version.

it seems that if someone has access to a standard sql server, anyone
could attach any database and see what's in it, takeover control etc.

how is everyone else securing their stuff?

thanks in advance. Jay

03/11/2006, 06h55

> I was wondering if there is a way to secure a sql 2005 database.
> i want to distribute an app and would prefer that any customers not be
> able to get into the database and make changes to structures, or

Use DDL triggers that roll back any change.

> basically steal the database design, especially if i distribute a trial
> version.

Why do you think anybody is going to steal your design? Do you think it is
something special? I doubt. Check, for example, free models at
http://www.databaseanswers.org/data_models/index.htm and books by Len
Silverston
(http://www.amazon.com/s/ref=nb_ss_gw...en+silverston).

> it seems that if someone has access to a standard sql server, anyone could
> attach any database and see what's in it, takeover control etc.

Not anyone, only administrators. And this is correct. Your customers will
have their data in the database, not yours; they need access to their own
data, for example for reporting. Therefore, you should not hide the schema;
even more, a well done application should include documentation, including
the database schema.

--
Dejan Sarka
http://www.solidqualitylearning.com/blogs/

03/11/2006, 16h43

You can encrypt the stored procedures so even the system administrators
cannot see them. See example F at
http://msdn2.microsoft.com/en-us/library/ms187926.aspx
Once encrypted you can't un-encrypt it, so you are responsible for having a
backup of the procedure text.
--
Rick Byham, MS
This posting is provided "AS IS" with no warranties, and confers no rights.

"Dejan Sarka" <dejan_please_reply_to_newsgroups.sarka@avtenta.si > wrote in
message news:OD9qYUx$GHA.1224@TK2MSFTNGP04.phx.gbl...
>> I was wondering if there is a way to secure a sql 2005 database.
>> i want to distribute an app and would prefer that any customers not be
>> able to get into the database and make changes to structures, or
>
> Use DDL triggers that roll back any change.
>
>> basically steal the database design, especially if i distribute a trial
>> version.
>
> Why do you think anybody is going to steal your design? Do you think it is
> something special? I doubt. Check, for example, free models at
> http://www.databaseanswers.org/data_models/index.htm and books by Len
> Silverston
> (http://www.amazon.com/s/ref=nb_ss_gw...en+silverston).
>
>> it seems that if someone has access to a standard sql server, anyone
>> could attach any database and see what's in it, takeover control etc.
>
> Not anyone, only administrators. And this is correct. Your customers will
> have their data in the database, not yours; they need access to their own
> data, for example for reporting. Therefore, you should not hide the
> schema; even more, a well done application should include documentation,
> including the database schema.
>
>
> --
> Dejan Sarka
> http://www.solidqualitylearning.com/blogs/
>
>
>

04/11/2006, 00h10

thanks for the link. that's why i rather keep my stored procedures in
my own source code, then pass it thru to sqlexec to execute.
i have greater control of it. executes just as fast.

i'm pretty paranoid about some of my creations, i develop apps to sell,
not for clients to take over the database. so i need to protect my
rights. its like quickbooks turning over their internal structures,
which they really don't, but provide an api to export data out. i will
do the same or just provide views for the user to use. that's what ADP
does. you never see adp's internal structures.

so are you saying that i can't create a user and make that user the only
valid user to get into the database, and unless you know the password,
even admins, you cant open the database at all. i would hardcode the
pwd in my program of course for it to open the tables.

what do you think?
Jay

Rick Byham, MS wrote:
> You can encrypt the stored procedures so even the system administrators
> cannot see them. See example F at
> http://msdn2.microsoft.com/en-us/library/ms187926.aspx
> Once encrypted you can't un-encrypt it, so you are responsible for
> having a backup of the procedure text.

02/11/2006, 22h01	#1
Jay B Messages: n/a Hébergeur:	how to secure a sql 2005 database? Hi, I was wondering if there is a way to secure a sql 2005 database. i want to distribute an app and would prefer that any customers not be able to get into the database and make changes to structures, or basically steal the database design, especially if i distribute a trial version. it seems that if someone has access to a standard sql server, anyone could attach any database and see what's in it, takeover control etc. how is everyone else securing their stuff? thanks in advance. Jay

03/11/2006, 06h55	#2
Dejan Sarka Messages: n/a Hébergeur:	Re: how to secure a sql 2005 database? > I was wondering if there is a way to secure a sql 2005 database. > i want to distribute an app and would prefer that any customers not be > able to get into the database and make changes to structures, or Use DDL triggers that roll back any change. > basically steal the database design, especially if i distribute a trial > version. Why do you think anybody is going to steal your design? Do you think it is something special? I doubt. Check, for example, free models at http://www.databaseanswers.org/data_models/index.htm and books by Len Silverston (http://www.amazon.com/s/ref=nb_ss_gw...en+silverston). > it seems that if someone has access to a standard sql server, anyone could > attach any database and see what's in it, takeover control etc. Not anyone, only administrators. And this is correct. Your customers will have their data in the database, not yours; they need access to their own data, for example for reporting. Therefore, you should not hide the schema; even more, a well done application should include documentation, including the database schema. -- Dejan Sarka http://www.solidqualitylearning.com/blogs/

03/11/2006, 16h43	#3
Rick Byham, MS Messages: n/a Hébergeur:	Re: how to secure a sql 2005 database? You can encrypt the stored procedures so even the system administrators cannot see them. See example F at http://msdn2.microsoft.com/en-us/library/ms187926.aspx Once encrypted you can't un-encrypt it, so you are responsible for having a backup of the procedure text. -- Rick Byham, MS This posting is provided "AS IS" with no warranties, and confers no rights. "Dejan Sarka" <dejan_please_reply_to_newsgroups.sarka@avtenta.si > wrote in message news:OD9qYUx$GHA.1224@TK2MSFTNGP04.phx.gbl... >> I was wondering if there is a way to secure a sql 2005 database. >> i want to distribute an app and would prefer that any customers not be >> able to get into the database and make changes to structures, or > > Use DDL triggers that roll back any change. > >> basically steal the database design, especially if i distribute a trial >> version. > > Why do you think anybody is going to steal your design? Do you think it is > something special? I doubt. Check, for example, free models at > http://www.databaseanswers.org/data_models/index.htm and books by Len > Silverston > (http://www.amazon.com/s/ref=nb_ss_gw...en+silverston). > >> it seems that if someone has access to a standard sql server, anyone >> could attach any database and see what's in it, takeover control etc. > > Not anyone, only administrators. And this is correct. Your customers will > have their data in the database, not yours; they need access to their own > data, for example for reporting. Therefore, you should not hide the > schema; even more, a well done application should include documentation, > including the database schema. > > > -- > Dejan Sarka > http://www.solidqualitylearning.com/blogs/ > > >

04/11/2006, 00h10	#4
Jay B Messages: n/a Hébergeur:	Re: how to secure a sql 2005 database? thanks for the link. that's why i rather keep my stored procedures in my own source code, then pass it thru to sqlexec to execute. i have greater control of it. executes just as fast. i'm pretty paranoid about some of my creations, i develop apps to sell, not for clients to take over the database. so i need to protect my rights. its like quickbooks turning over their internal structures, which they really don't, but provide an api to export data out. i will do the same or just provide views for the user to use. that's what ADP does. you never see adp's internal structures. so are you saying that i can't create a user and make that user the only valid user to get into the database, and unless you know the password, even admins, you cant open the database at all. i would hardcode the pwd in my program of course for it to open the tables. what do you think? Jay Rick Byham, MS wrote: > You can encrypt the stored procedures so even the system administrators > cannot see them. See example F at > http://msdn2.microsoft.com/en-us/library/ms187926.aspx > Once encrypted you can't un-encrypt it, so you are responsible for > having a backup of the procedure text.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email