0

I am working in a product based company and will provide SQL Server 2014 Express edition with our software. I want your expert comment on security.

Problem: As we are installing a database on client PC then they might be able to see our database schema by attaching MDF files to another server. (In my view, through database objects name and data, other companies can easily identify our workflow and can develop software easily) So I want some type of encryption or file system solution to prevent user to take database files. And yes as we are using express edition, we can’t use available SQL server encryption options.

jarlh
  • 42,561
  • 8
  • 45
  • 63
Vaibhav Shringi
  • 1
  • 1
  • Interesting, that is what my company does currently but the user has to have a special server role in order to open up the actual schema. That role is then linked with their login. When we create a user login we use a cryptic login like ght02%username% so windows auth do not have access. The only way of taking the MDF that i'm aware of is that if they have either detached the database or the service is running. Again this could be manageable. There are most likely better options though. Just my two cents. – SCramphorn Jul 13 '17 at 10:44
  • Possible duplicate of [Prevent database file from copying](https://stackoverflow.com/questions/21751646/prevent-database-file-from-copying) – SCramphorn Jul 13 '17 at 10:50

4 Answers4

1

Interesting, that is what my company does currently but the user has to have a special server role in order to open up the actual schema.

That role is then linked with their login. When we create a user login we use a cryptic login like ght02%username% and not just their windows credentials. This means that if they login via windows auth, do not have access to that schema.

The only way of taking the MDF that i'm aware of is that if they have either detached the database or the service is stopped. Again this could be manageable by disabling them stopping the server and they won't be able to detach if they don't have the permission.

There are most likely better options though.

Just my two cents.

Also a duplicate of this

SCramphorn
  • 447
  • 4
  • 23
  • 3
    Provided it's a client PC as OP stated it, a client can easily gain a total control and admin privileges over it. No problem to stop any service. – Serg Jul 13 '17 at 10:56
1

you can prevent client from copying files, only if client had minimal permissions on the box where you are copying the files

I would recommend SQLAZURE Database,it starts with 5$ Per month and i believe standard pricing tier is most suitable(approx:30$ per month)..with this way , you also can be sure, your schema is secure

TheGameiswar
  • 27,855
  • 8
  • 56
  • 94
0

You could try this third party software: https://www.database-encryption.com/ Database can only be restored/attached where this software is installed. Requires an encryption key to see any info from the database, it's free up to 200MB of database size (I currently use this software)

BytesOfMetal
  • 664
  • 10
  • 24
  • If the data is accessed on a machine where the user has administrative privileges, there is ALWAYS a way for the user to get the data. You can obfuscate it and attempt to make it more difficult, but in the end, if your program accesses the data, they can access the data, and they can always find any key you use by debugging your program. – James Jul 13 '17 at 13:02
  • Starting from the point that nothing is 100% secure. There are many software they can use (and probably they are currently running) to obfuscate their software code, encode strings, etc. which will do this kind of "hacks" much more difficult. If their final goal is to protect their software I assume they already took care of these points. What he's asking for is a way to prevent such actions through their database, and I think this software provides a significant layer of protection on that purpose. – BytesOfMetal Jul 13 '17 at 13:09
  • One man's "significant layer of protection" is another man's "futile attempts to hide." Good luck with that. – James Jul 13 '17 at 13:12
  • Let's stop using passwords then. – BytesOfMetal Jul 13 '17 at 13:19
  • Passwords have their place and are can provide great security when the data they protect is on a separate system you don't have physical or administrative access to. If you want to use security effectively, you have to understand how it works. – James Jul 13 '17 at 13:23
0

If you are willing to consider a third party product, there are at least two that can do what you want, viz protecting your SQL databases from your customers. One is ours: Encryptionizer for SQL Server. The other is DBEncrypt. They work very differently though. Encryptionizer sits between the SQL Server process and the OS, while DBEncrypt injects itself into the SQL process in memory using the old Detours SDK.

Neil Weicher
  • 2,370
  • 6
  • 34
  • 56