Protect your SQL Server database
Arthur Fuller
Published: 27 Oct 2005 10:55 BST
Do you worry that someone with devious plans could break into your SQL Server database? If not, you should because this may be a very real and dangerous possibility. First, I'll cite an example from a previous job to demonstrate how easy it is to access a database.
Why a DBA might break into your database
I used to be part of a team that was responsible for an enterprise
application designed to run a pulp and paper mill. The software sold
for $1.2m as the base price. As the customer selected various options,
the price went up in rather large increments. A sale of the application
with all features working could amount to $3 million. We didn't create
separate executables for each possible configuration because that would
have been a nightmare. Instead, we created an encrypted procedure that
read a table and made the functionality available that the client had
licensed.
The local DBA with even a little savvy and an Internet connection could crack our code wide open in five minutes, gaining full functionality of the application and thereby saving her firm at least a million dollars. This is against the law, but some DBAs will take the chance to save their companies such large sums of money.
How a DBA could decrypt your database
If you don't buy into my scenario, then I encourage you to try it.
Create one or more stored procedures, views, and triggers with
encryption using the standard "with encryption" phrase. Then follow the
steps in this recipe, and see how easy it is to shatter your alleged
defence:
- Grab a free SQL decryption tool.
- Install it.
- Run it and choose the server and database of interest. (You must be able to log in.)
- Select the procedures, views, and triggers you wish to decrypt.
- Choose a directory in which to save the decrypted files and click Save.
- Protect your database with these resources
- You must assume that a DBA will try to break into your database. If the DBA succeeds, the vendor of the application may be out a significant amount of money.
Simply adding encryption to your database will only protect you from entry-level or inexperienced DBAs. If encrypted procedures, views, and triggers are important to you and your firm (and they should be), then you have no choice but to spend some money and license real encryption, or to download one of the following alternatives (both commercial and free) and beef up your encryption efforts.
- ActiveCrypt
- SQL Encryption Toolkit: This free toolkit from Michael Coles is in the form of stored procedures.
- NetLibEncryptionizer for SQL Server: You might want to consider this product if you want to encrypt your data as well as your database objects.
Did you find this article useful?
36 out of 71 people found this useful
- Share this article:
