I have an app that uses a sql database. There is a password on the sql database but all someone has to do is stop sql service, detach, then reatach to any server they own and tada they have full access to all the information to edit ect. Is there a way to stop this?...
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Stop people from detaching database
- Thread starter blar9
- Start date
I would think you have some pretty major issues if 'someone' can do all that...
How are you controlling access to the server? And are you worried about developers doing this, or normal end-users?
[small]----signature below----[/small]
With all due respect, Don Bot, I don't think we should rely on an accident happening. Let's kill him ourselves.
Ignorance of certain subjects is a great part of wisdom
How are you controlling access to the server? And are you worried about developers doing this, or normal end-users?
[small]----signature below----[/small]
With all due respect, Don Bot, I don't think we should rely on an accident happening. Let's kill him ourselves.
Ignorance of certain subjects is a great part of wisdom
Alex I think that the OP has an app which he installs on the client together with the SQL DB (MSDE or Express)
Since the client owns the machine he can stop the service detach and then attach and change data
Encrypt some of the data through the client app so that they cannot use all the data
Denis The SQL Menace
--------------------
SQL Server Code,Tips and Tricks, Performance Tuning
SQLBlog.com, Google Interview Questions
Since the client owns the machine he can stop the service detach and then attach and change data
Encrypt some of the data through the client app so that they cannot use all the data
Denis The SQL Menace
--------------------
SQL Server Code,Tips and Tricks, Performance Tuning
SQLBlog.com, Google Interview Questions
ptheriault
IS-IT--Management
Um,
If you stop the sql services you can't run sp_detachdb! The services need to be running to do that. IF you stop the services you can just copy the mdf and ldf files. I would also ask what access your users have to the server if they can stop the sql services! Once someone stops the services they can do anything they want to your data files!
Can you post your security model.
- Paul
- If at first you don't succeed, find out if the loser gets anything.
If you stop the sql services you can't run sp_detachdb! The services need to be running to do that. IF you stop the services you can just copy the mdf and ldf files. I would also ask what access your users have to the server if they can stop the sql services! Once someone stops the services they can do anything they want to your data files!
Can you post your security model.
- Paul
- If at first you don't succeed, find out if the loser gets anything.
- Thread starter
- #5
They are hosting the db so they have full access to the server I cannot restrict that. I want to keep them from being able to detach them.. I think its pretty sad that you can do this. For example you all prob know that Act!, a db program that does not allow you to access the actuall db files. Well... you can stop sql service that is connected to the db files then you can detach the databases and reatach them to any server you want and then you can do anything you want with them. They have encryped the sps in the db which I will do also. Is there a way to encrypt the actuall sql db tables in the same manner?
Thanks for all help
Thanks for all help
You can encrypt data on data entry through your user interface before you send to SQL Server, however, this will have to be decrypted each time the data is displayed and will significantly slow down the performance. I would consider if maybe there are only a few columns of data that you would want encrypted not all of them.
The best bet is to host your own servers in this case rather than allowing them to be hosted by someone you clearly do not trust. Other than that I would suggest they sign an agreement holding them liable if they allow your data to be stolen.
"NOTHING is more important in a database than integrity." ESquared
The best bet is to host your own servers in this case rather than allowing them to be hosted by someone you clearly do not trust. Other than that I would suggest they sign an agreement holding them liable if they allow your data to be stolen.
"NOTHING is more important in a database than integrity." ESquared
mrdenny
Programmer
- May 27, 2002
- 11,595
There isn't a way to encrypt the tables. You can encrypt the data within the tables either through a function within the GUI or with third party DLLs (if SQL 2000) or the native encryption (if SQL 2005).
However if you are talking about a system at a clients site, it's thier data. They own it, why do you not want them to be able to see it.
BTW, SQL encryption on stored procedures was broken years ago. It only takes a few seconds to decrypt all the stored procedures in a database.
The reason that ACT! doesn't let you access the data files is because they are in a priority format.
Even if you encrypt the data within the tables, given enough time the encryption can be broken. All it takes is time.
As a customer of a database platform I would be very angry if the data in the database was encrypted so that I could not see it out side of the application. Once I saw this I would probably end up recommending to managment that we dump the app and go with it's competator. If the software is installed on my machine, and it's holding my business's information I have every right to view the information. My vendor has no place telling me what I can and can not do with information which my company owns.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
![[noevil]](/data/assets/smilies/noevil.gif "[noevil] [noevil]")
However if you are talking about a system at a clients site, it's thier data. They own it, why do you not want them to be able to see it.
BTW, SQL encryption on stored procedures was broken years ago. It only takes a few seconds to decrypt all the stored procedures in a database.
The reason that ACT! doesn't let you access the data files is because they are in a priority format.
Even if you encrypt the data within the tables, given enough time the encryption can be broken. All it takes is time.
As a customer of a database platform I would be very angry if the data in the database was encrypted so that I could not see it out side of the application. Once I saw this I would probably end up recommending to managment that we dump the app and go with it's competator. If the software is installed on my machine, and it's holding my business's information I have every right to view the information. My vendor has no place telling me what I can and can not do with information which my company owns.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
- Thread starter
- #8
mrdenny
Programmer
- May 27, 2002
- 11,595
That's what contracts and lawyers are for.
If they are hosting the SQL Server them selves they can do anything with the data within the SQL Server that they want.
If you don't trust them enough to give them direct access to the data and the schema...
1. Host the database your self.
2. Don't do business with them.
3. Contracts with wording that addresses your companies concerns.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
If they are hosting the SQL Server them selves they can do anything with the data within the SQL Server that they want.
If you don't trust them enough to give them direct access to the data and the schema...
1. Host the database your self.
2. Don't do business with them.
3. Contracts with wording that addresses your companies concerns.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
- Thread starter
- #10
This has happened and did get lawyers involved basically if you allow them access to the db and they did not break any kind of encryption they can do whatever they want with it.
1.) not my company not my call I wish...
2.) no money no job no concern...
3.) didn't stop anyone the first time and you know what lawyers cost?..
1.) not my company not my call I wish...
2.) no money no job no concern...
3.) didn't stop anyone the first time and you know what lawyers cost?..
- Thread starter
- #11
mrdenny
Programmer
- May 27, 2002
- 11,595
Yep. Their server, their data. You can't stop them from doing anything.
The only way to stop them would be to put it in the Terms of Service and the contacts when they buy the software.
Even if the database is under 2 Gigs and is on MSDE or Express a DBA can get the Express instance opened up and accessable like a normal SQL Server in about 30 seconds.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
The only way to stop them would be to put it in the Terms of Service and the contacts when they buy the software.
Even if the database is under 2 Gigs and is on MSDE or Express a DBA can get the Express instance opened up and accessable like a normal SQL Server in about 30 seconds.
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
GLComputing
IS-IT--Management
If they have admin access to the server, you can't prevent it... if they don't have admin access, you could prevent the service being stopped (well, Windows being what it is, at least make it difficult) - especially if on a Domain.
One possible option might be to include a server with the project... depending on the scale of the contract, this may or may not be feasable. You'd own the server and rent it to them. Then you could control it and access to it
Otherwise... host it and they access it via the web
However, as Denny said... it's their data. So any contract would need to say that you own the data as well as the code. Not sure how legit that would be.
BTW: For those quoting 2GB, I think SQL 2005 Express is 4GB
BTW Denny, the ACT! database isn't proprietary (ACT! 10 uses SQL 2005 Express or Standard depending on the version)and Sage will make available or Reado Only pass and even the SA password to corporate clients who want to use SQL backup tools or Crystal Reports. The reason they don't give the SA to everyone is that much of the code would fail if the data structure changes and ACT! users typically don't have the expertise to understand the consquences of a change.
Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust
One possible option might be to include a server with the project... depending on the scale of the contract, this may or may not be feasable. You'd own the server and rent it to them. Then you could control it and access to it
Otherwise... host it and they access it via the web
However, as Denny said... it's their data. So any contract would need to say that you own the data as well as the code. Not sure how legit that would be.
BTW: For those quoting 2GB, I think SQL 2005 Express is 4GB
BTW Denny, the ACT! database isn't proprietary (ACT! 10 uses SQL 2005 Express or Standard depending on the version)and Sage will make available or Reado Only pass and even the SA password to corporate clients who want to use SQL backup tools or Crystal Reports. The reason they don't give the SA to everyone is that much of the code would fail if the data structure changes and ACT! users typically don't have the expertise to understand the consquences of a change.
Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust
ptheriault
IS-IT--Management
Personaly, I wouldn't purchase any product from a company that won't let me view my own data. The only exception is ADP but they host the server we login to their sight and download payroll information. Every company has the right to report on their data in anyway they want to.
- Paul
- If at first you don't succeed, find out if the loser gets anything.
- Paul
- If at first you don't succeed, find out if the loser gets anything.
mrdenny
Programmer
- May 27, 2002
- 11,595
My bad. I haven't even looked at ACT! in years. Wasn't the old version proprity?
Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
GLComputing
IS-IT--Management
ACT! versions 1-2 for Windows used CodeBase III (dBase)
ACT! versions 3-6 used CodeBase IV (FoxPro with some proprietary extensions to support BLB - notes)
ACT! versions 7-8 used MSDE SQL Server 2000
ACT! versions 9-10 use SQL Server 2005 Express or Standard
Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust
ACT! versions 3-6 used CodeBase IV (FoxPro with some proprietary extensions to support BLB - notes)
ACT! versions 7-8 used MSDE SQL Server 2000
ACT! versions 9-10 use SQL Server 2005 Express or Standard
Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust
- Status
Similar threads
- Locked
- Question