0

Background: [No copyright implementation]

[No copyright implementation] My company develops inventory control application for clients in the area where we don't have copyright protection by the government. The only option is to hide and protect things by ourselves. It is common for competitors here to copy other company's database and build front end on it and then start selling their own app.

The Problem

We use MS SQL server express edition and some times standard edition. We have found that any of customer can stop sql engine, copy the files from the pc where application was installed and then attach that database files into another system where they have full windows admin rights and that's it they can fully explore our database.

I am looking for

Is there any reliable solution to protect our database design being viewed by other people. Only our application may connect through the users we have created inside the db?

In past i had heard that sybase adaptive server has such functionality, windows users had no access in it and users were stored inside each db itself. there was no way to login if someone don't have password of the users stored in db itself.

Thanks

Your help will be highly appreciated.

Salik
  • 458
  • 7
  • 14
  • Sure you can easily prevent that sort of thing. You do it by hosting the database on YOUR server. The data belongs to your client not you. If you are really concerned about it then you should have some verbiage in your contracts about that sort of thing. Bottom line is you can't prevent a sysadmin from being a sysadmin on a server you can't control. There really shouldn't be anything in your database that is sensitive (outside of the actual data) anyway. If your business rules are in the database that is a fault of the design. – Sean Lange Mar 26 '15 at 15:19

1 Answers1

0

As suggested by Sean, hosting it yourself or in a cloud service like Azure SQL DB is your best bet. Still no guarantee but makes it significantly harder to get everything but a lot easier to lockdown than alternatives. It's also a lot easier to manage and handle user requests for restricted data compared to something deployed onsite.

Outside of that, there's really no practical way to do it if deployed at the customer's site. Even if you lock down all logins and users (regardless of Windows or SQL Server logins) so no customer login has admin level privileges, you still can't prevent them from copying the database file, mounting it on a different instance where they have admin privileges or even just running it as an app to reset SA password. If they have physical access, all bets are off. It's only a matter of knowledge and time.

You can make it harder by encrypting the entire database and only your app holds the key. Users then have to either break the encryption algorithm (hard if done right) or your application that holds the key (easier but still not trivial). Both are expensive to do correctly and they really just delay, not prevent access. You will also introduce other problems like key management and rotation which, if not done right can result in customers losing access to their data.

You could leave a cookie trail (e.g. functions and tables that are active,look like they're part of the app and are tightly coupled to useful parts of the app but actually aren't related to the application's core functionality). That makes it easier to prosecute later but if the country has no laws protecting intellectual property, this will only be useful if the software is re-used or resold in a country that has such laws.

SQLmojoe
  • 1,924
  • 1
  • 11
  • 15