Results 1 to 7 of 7

Thread: sql 2005 express security

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Mar 2001
    Posts
    416

    sql 2005 express security

    Hi All,

    I'm going to implement a standalone solution to my company's partners, which is a VB.NET application with some $$ calculations.
    Some rate data are sensitive and we choose to use sql server express 2005 as local database engine.

    My concern is that, how can I protect my id & password to access sql express?
    At least I need to code it inside VB.NET SQLConnection in order to access the rate, and the code in VB.NET is reversable, I afraid if someone can hack into the code and discover the login credential.

    Is there a way to prevent it?

    Thanks.

  2. #2
    Frenzied Member MaximilianMayrhofer's Avatar
    Join Date
    Aug 2007
    Location
    IM IN YR LOOP
    Posts
    2,001

    Re: sql 2005 express security

    You can encrypt the source code for your application when you've finished writing it.

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Mar 2001
    Posts
    416

    Re: sql 2005 express security

    My concern is not on the source code, but rather the distributed code.
    As I remember, VB.NET object code is somehow reversable.....do you mean the object code is also encryptable? If yes, will it affect performance?

    Thanks.

  4. #4
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: sql 2005 express security

    Well - that is kind of complicated.

    SQL DB's can always be copied off a machine and loaded into a SQL environment where they can be ATTACHED and looked at.

    There is no native encryption in MS SQL db's (except for MS SQL CE - compact edition).

    The only safe method for authentication is WINDOWS AUTHENTICATION - but usually with SQL EXPRESS you use SQL authentication. Are you using SQL authentication right now??

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  5. #5

    Thread Starter
    Hyperactive Member
    Join Date
    Mar 2001
    Posts
    416

    Re: sql 2005 express security

    I plan to use sql authentication because I can't create Windows a/c at client machine.

    So, I must code the id & password inside my code, that's what I (actually the security officer) don't want to.......

    Also, you alert me that the db is attachable to other SQL Server system. But I do remember that it is possible to do some encryption to the database, it is not support in sql express 2005?

    Thanks.

  6. #6
    Frenzied Member
    Join Date
    May 2002
    Posts
    1,602

    Re: sql 2005 express security

    Hi!

    I have written apps that work disconnected, or in a company environment, and I take two approaches when the data is concerned

    1) If the app is to be distributed as a standalone product (like ms office) I use encrypted xml data as the "database". In VS 2005 its very easy to work with XML data, and its reasonably fast.

    2) If I can, I use webservices that expose a facade layer against the application. This I mostly use for intranet apps where the data is shared between the clients. The 1) approach is best used when the database should be unique for each client and is sensitive. I would never use access or sql server express for sensitive data since there is no way to encrypt it. We encrypt the xml data using an algorithm thats is reasonably hacker proof.


    good luck
    Henrik

  7. #7
    Addicted Member
    Join Date
    Mar 2006
    Posts
    235

    Re: sql 2005 express security

    Check out Laurentiu Cristofors security blog for sql Server 2005.

    http://blogs.msdn.com/lcris/archive/...09/427523.aspx

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width