Re: ms sql server 2000 security too weak ?

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: RW (goldbase_at_centrin.net.id)
Date: 04/13/04 

Date: Wed, 14 Apr 2004 00:13:18 +0700

Sometimes trusting people too full is risky to the company, it should be
a double checking procedure and control by two authorized person.

About the monitoring data traffic is not very easy do that if the
application using a native database driver, except ODBC.

My suggestion is when attaching the MDF files will require the original
serial number of ms.sql server 2000 where it was created, I think at
least this is another way to protect the MDF files, even somebody or the
kick out administrator copy it, then it's useless, they should know the
serial number to access the MDF.

What do you think ?

brgs,

Ridwan

Ken Schaefer wrote:
>
> If the user is an administrator of the SQL Server, then they can steal your
> MDF files. But then, they can do anything anyway.
>
> If the user is an administrator of the Windows machine that SQL Server is
> on, then they can steal everything on the server anyway.
>
> Normal users can not do this.
>
> So, you need to trust your administrators.
>
> Anyway, even if there was a "separate" password, how would your applications
> access the database? They would need the password, which means it has to be
> stored somewhere, which means the administrator could steal it from there
> (eg from the client application, or by monitoring the traffic that goes into
> SQL Server).
>
> Cheers
> Ken
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "RW" <goldbase@centrin.net.id> wrote in message
> news:407B4E73.682C@centrin.net.id...
> : You didn't get my question, what I mean is if your database which you
> : have protect with the algorithm and re-install by somebody in their
> : server, then all your data will be seen and access using their 'sa'
> : login, so where's the protection ?
> :
> :
> :
> : Egbert Nierop (MVP for IIS) wrote:
> : >
> : > "RW" <goldbase@centrin.net.id> wrote in message
> : > news:407AB799.4F6F@centrin.net.id...
> : > > 1. using NTFS security still allow to get in, and duplicate the
> : > > database, this is not why I mean, but they can copy and open it in
> : > > another server without any protection.
> : > >
> : > > 2. using data encryption of course will slow down the performance
> while
> : > > we process large amount of data
> : >
> : > see below...
> : >
> : > > I am not blaming MS, actually the sql server is quite a good and easy
> to
> : > > maintain database, only we are so curious, why other user data like
> : > > excel spread***, word, access can have their own password, and
> : > > specially the most important data container (sql server) open like a
> : > > mall and welcome in, u just login in as 'sa' and u get everything.
> : > >
> : > > Why not MS add an additional login password as an option, may be
> that's
> : > > much better than let it open.
> : >
> : > Applying a single password is really a nope-operation. for instance, SQL
> : > stored procs can be encrypted, but they can be decripted using 'tools'
> that
> : > are available on the net.
> : > So that's why the 'slow' operation, that is a 3 key-algorithm
> : > (public/private/session) is the ONLY viable solution to safegard a file.
> A
> : > single password with 'xor' encryption on a file is as explained,
> useless.
> : >
> : > Cheers,
> :

Quantcast