Re: SQL Server Issues ::: ( how to avoid this issues )
From: Tibor Karaszi (tibor_please.no.email_karaszi_at_hotmail.nomail.com)
Date: 09/22/04
- Next message: Dooza: "Re: Problems Backing Up"
- Previous message: Karl Gram: "Re: Unexpected deadlock"
- In reply to: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 18:09:46 +0200
> Even if you are using exec sp_revokelogin [BUILTIN\Administrators] the domain
> admin can log to the SQL Server.
I fail to see how. I just tested that, and I can sure *not* login to my SQL Server!
> in Sybase ASE and all, if u r replacing the DAT files with other database's
> DAT files, it wont work unless u supply the exact parameters... so we can say
> the DAT files are secured in all aspects.
Security by obscufation is generally not consider a very good security method. Assuming Sybase uses
DISK INIT and DISK REFIT, then anyone who work at the dba level with Sybase or MS pre-7.0 will
understand how to use these commands.
-- Tibor Karaszi, SQL Server MVP http://www.karaszi.com/sqlserver/default.asp http://www.solidqualitylearning.com/ "Danny John" <DannyJohn@discussions.microsoft.com> wrote in message news:A7174704-13D6-4CBF-9A5F-A368501CAB16@microsoft.com... > Even if you are using exec sp_revokelogin [BUILTIN\Administrators] the domain > admin can log to the SQL Server. > > 2. For a big company setup we can put IT policies... even in small.. > most of the SQL Server mid-ranged clients are Trading companies... and most > of them have some SECRETE data... and some times the Govt. agencies will take > the system and check the database and all.. in this case if there is no stong > database security, the traderes will be really into deep truble... > in Sybase ASE and all, if u r replacing the DAT files with other database's > DAT files, it wont work unless u supply the exact parameters... so we can say > the DAT files are secured in all aspects. > > Danny > "Tibor Karaszi" wrote: > >> > You *cannot* keep your domain admins out of SQL Server. >> >> Hmm, what about removing the BUILTIN\Administrators group and not add another windows group (as >> sysadmin)? However, the administrators can stop SQL Server, copy the files and attach the files >> to >> another SQL Server... >> >> >> > If you really want to protect the data from everyone including domain >> > admins, then consider encrypting it before it's put into the database, >> > then no-one can read it except the people with the key. There should be >> > third party products available that can do this. >> >> The built-in encryption in NTFS ("EFS") is supported by SQL Server. I'm not a security person, so >> I >> can't say how easy this is to crack, though... >> -- >> Tibor Karaszi, SQL Server MVP >> http://www.karaszi.com/sqlserver/default.asp >> http://www.solidqualitylearning.com/ >> >> >> "Mark Allison" <marka@no.tinned.meat.mvps.org> wrote in message >> news:%23t$oEYHoEHA.3556@TK2MSFTNGP10.phx.gbl... >> > Danny, >> > >> > 1. >> > SQL Server 2000 has two modes Windows Only and, SQL Server and Windows >> > (Mixed Mode). SQL only mode was last seen in SQL 6.5. >> > >> > You *cannot* keep your domain admins out of SQL Server. There's nothing >> > you can do to stop it. They are a local admin on every machine in the >> > domain. If you create a SQL Server DBA Group and only assign that as >> > sysadmin in SQL Server, then they can just add themselves to that group >> > if they like. >> > >> > This sort of thing should be governed by trust, and perhaps corporate IT >> > policy, that only the DBAs are allowed access to SQL Server. >> > >> > >> > 2. >> > If you do not allow people access to the physical machine that SQL >> > Server is running on, then they won't be able to get to the physical >> > data files, so this shouldn't be a worry. Only allow domain admins and >> > DBAs access to the database server. >> > >> > If you really want to protect the data from everyone including domain >> > admins, then consider encrypting it before it's put into the database, >> > then no-one can read it except the people with the key. There should be >> > third party products available that can do this. >> > >> > -- >> > Mark Allison, SQL Server MVP >> > http://www.markallison.co.uk >> > >> > Looking for a SQL Server replication book? >> > http://www.nwsu.com/0974973602m.html >> > >> > >> > Danny John wrote: >> > > Hi, >> > > I'm a Sybase ASE DBA. now we are planning to migrate our >> > > applications to MS SQL Server. and we purchased the >> > > Standard edition of MS SQL Server 2000. >> > > >> > > 1. Is it possible to restrict the Windows users ( >> > > Administrators, and users ) from accessing SQL Server ? >> > > ie. Only SQL Server Authentication is enabled. >> > > Normally in most of the companies, except bigger >> > > companies, the hardware/network guys will be knowing the >> > > Administrator password and all. and they wont be DBAs if >> > > the windows authentication is enabled any of that guys can >> > > play with it. >> > > sp_denylogin is not a solution for it. coz every time they >> > > can create new users. >> > > >> > > 2. When we are creating a database we have to provide >> > > the Data and Log files. We don't want to share the >> > > information of the database to others, but in MS SQL >> > > Server . >> > > Suppose we created a database DB1, with Data File >> > > d:\Data\MyData.Dat and Log file D:\Data\MyLog.Dat and >> > > making some secrete transactions in it. >> > > >> > > Now we are creating a new database called DB2 with Data >> > > File Z:\Data\DataZ.Dat and Log file Z:\Data\LogZ.Dat. Now >> > > we are stopping the SQL Server and >> > > copying the DB1 files (d:\Data\MyData.Dat and >> > > D:\Data\MyLog.Dat ) to Z:\Data and renaming them as >> > > Z:\Data\LogZ.Dat and Z:\Data\DataZ.Dat. >> > > >> > > Start the SQL Server, now you can see all the DB1 data in >> > > DB2.. >> > > >> > > That means anyone can see my secrete data in this way. >> > > >> > > >> > > >> > > Any suggestions, >> > > Thanks in advance. >> > > Danny >> >> >>
- Next message: Dooza: "Re: Problems Backing Up"
- Previous message: Karl Gram: "Re: Unexpected deadlock"
- In reply to: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Danny John: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
