Re: SQL Server Issues ::: ( how to avoid this issues )
From: Tibor Karaszi (tibor_please.no.email_karaszi_at_hotmail.nomail.com)
Date: 09/22/04
- Next message: Tibor Karaszi: "Re: Restore"
- Previous message: Mark Allison: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- In reply to: Mark Allison: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 09:35:11 +0200
> You *cannot* keep your domain admins out of SQL Server.
Hmm, what about removing the BUILTIN\Administrators group and not add another windows group (as
sysadmin)? However, the administrators can stop SQL Server, copy the files and attach the files to
another SQL Server...
> If you really want to protect the data from everyone including domain
> admins, then consider encrypting it before it's put into the database,
> then no-one can read it except the people with the key. There should be
> third party products available that can do this.
The built-in encryption in NTFS ("EFS") is supported by SQL Server. I'm not a security person, so I
can't say how easy this is to crack, though...
-- Tibor Karaszi, SQL Server MVP http://www.karaszi.com/sqlserver/default.asp http://www.solidqualitylearning.com/ "Mark Allison" <marka@no.tinned.meat.mvps.org> wrote in message news:%23t$oEYHoEHA.3556@TK2MSFTNGP10.phx.gbl... > Danny, > > 1. > SQL Server 2000 has two modes Windows Only and, SQL Server and Windows > (Mixed Mode). SQL only mode was last seen in SQL 6.5. > > You *cannot* keep your domain admins out of SQL Server. There's nothing > you can do to stop it. They are a local admin on every machine in the > domain. If you create a SQL Server DBA Group and only assign that as > sysadmin in SQL Server, then they can just add themselves to that group > if they like. > > This sort of thing should be governed by trust, and perhaps corporate IT > policy, that only the DBAs are allowed access to SQL Server. > > > 2. > If you do not allow people access to the physical machine that SQL > Server is running on, then they won't be able to get to the physical > data files, so this shouldn't be a worry. Only allow domain admins and > DBAs access to the database server. > > If you really want to protect the data from everyone including domain > admins, then consider encrypting it before it's put into the database, > then no-one can read it except the people with the key. There should be > third party products available that can do this. > > -- > Mark Allison, SQL Server MVP > http://www.markallison.co.uk > > Looking for a SQL Server replication book? > http://www.nwsu.com/0974973602m.html > > > Danny John wrote: > > Hi, > > I'm a Sybase ASE DBA. now we are planning to migrate our > > applications to MS SQL Server. and we purchased the > > Standard edition of MS SQL Server 2000. > > > > 1. Is it possible to restrict the Windows users ( > > Administrators, and users ) from accessing SQL Server ? > > ie. Only SQL Server Authentication is enabled. > > Normally in most of the companies, except bigger > > companies, the hardware/network guys will be knowing the > > Administrator password and all. and they wont be DBAs if > > the windows authentication is enabled any of that guys can > > play with it. > > sp_denylogin is not a solution for it. coz every time they > > can create new users. > > > > 2. When we are creating a database we have to provide > > the Data and Log files. We don't want to share the > > information of the database to others, but in MS SQL > > Server . > > Suppose we created a database DB1, with Data File > > d:\Data\MyData.Dat and Log file D:\Data\MyLog.Dat and > > making some secrete transactions in it. > > > > Now we are creating a new database called DB2 with Data > > File Z:\Data\DataZ.Dat and Log file Z:\Data\LogZ.Dat. Now > > we are stopping the SQL Server and > > copying the DB1 files (d:\Data\MyData.Dat and > > D:\Data\MyLog.Dat ) to Z:\Data and renaming them as > > Z:\Data\LogZ.Dat and Z:\Data\DataZ.Dat. > > > > Start the SQL Server, now you can see all the DB1 data in > > DB2.. > > > > That means anyone can see my secrete data in this way. > > > > > > > > Any suggestions, > > Thanks in advance. > > Danny
- Next message: Tibor Karaszi: "Re: Restore"
- Previous message: Mark Allison: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- In reply to: Mark Allison: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
