what is the recommendations should i do to prevent anyone from hacking or getting the sql server data base file (MDF File) ?
Note : i use sql server 2005
Some simple recommendations:
Do not expose access to your database server to the internet. It should be behind a firewall that only allows the web server to access it over a particular port (not the default).
Do not allow remote desktop or any other type of similar access from external connections. For internal connections, ensure that the passwords follow some type of policy. For example, require numbers, extended characters, etc.
Keep the database files in the normal data directory for sql server (file security is already set up for you).
Use transparent database encryption: http://msdn.microsoft.com/en-au/magazine/cc163771.aspx#S5 and How to protect the sql server 2005 MDF file
Make sure file sharing is turned off.
Make sure the only people who can access that server are the ones responsible for it.
Read up on sql injection to prevent other access mechanisms.
Use Active Directory security for database user accounts.
Use SSPI for the db connections so that you don't have a username/password stored in your web.config
Make sure that the network connection between your web and database server is encrypted via kerberos.
The same way you would protect any other file on your server.
I'd use a firewall and block every port than isn't needed.
Related
I'd like to connect to a local instance of SQL Server on another machine within the same network, and am wondering if it's even possible.
For example, say we have Machine01 and Machine02, both on the same internal network. I have several IIS websites setup on Machine01. If I log onto Machine02 and query the URL of one of the websites on Machine01 in in internet browser (say http://Machine01:9000), the website will load just fine. This has me thinking that it might be possible to construct a connection string to access the local database on Machine01 from Machine02. Is this possible?
I have Allow remote connections to this server checked in SSMS.
I've tried this connection string:
Server=Machine01;trusted_connection=true;Database=MyDB;Persist Security Info=True
Your connection string is correct in that the Server is the target computer name, and the premise of what you're trying to do is certainly correct and quite possible.
However make sure that the firewall on Machine01 is set to allow inbound traffic on the LAN from the SQL Server port (by default, 1433).
Also, the trusted_connection bit may not work, depending on how you have your users set up. If the user account on Machine02 a trusted user account on Machine01? If in any doubt, set up a SQL Server user account on your Machine01 SQL server, make sure you have SQL connections enabled (Server properties -> Security -> SQL Server and Windows Authentication mode), and pass across the SQL user name and password in the connection string instead...
You might try setting up a linked server, I find it to make the queries much easier. Here is some information on how to set it up.
I'm connecting to a SQL Server instance in a shared environment using SQL Server Management Studio. I don't want to take the hosting service's word so I'd like to find a way to discover whether all communications are encrypted. Especially the password, since it seems from this answer that sometimes it's sent in plaintext and sometimes not (I've been trying to use Microsoft Network Monitor to find out if it's encrypted but haven't been successful yet.)
Even if the password is encrypted, what if someone uses the connection (as a man-in-the-middle) to enter his own data into the database? (I'm more worried about that, though reading from the database is also a problem, of course.)
So, to sum up, how can I force a secure connection or at least discover whether one is present, when I don't have administrator's privileges on the database?
SQL Server client drivers offer the ability to require encryption and also verify that the certificate on the SQL Server comes from a trusted provider. Most drivers for SQL Server (JDBC, ODBC, .NET client, etc) have these settings.
More information can be found here: https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
I know that this sentence tells me that 'MyDatabase' database is online:
select databasepropertyex('MyDatabase', 'Status')
What if I need to check a database from another server? Suppose that I already have a link server, the call should be like this:
select databasepropertyex('[192.168.111.33].MyOtherDatabase', 'Status')
but it doesn't work, anyone knows how to check this?
Thank you.
Might have to run as a pass through query, e.g.
OPENQUERY ( [192.168.111.33] ,'select databasepropertyex(MuOtherDatabase, ''Status'')' )
(assuming your already set up linked server is called [192.168.111.33], as implied above - seems like a dubious naming convention to use IPs?)
Normally, you would just try to connect to the database, and trap the error if the connection fails. But depending on your network setup and security, it might not be possible to connect directly to the database server. Exactly how you do that depends on what language and provider you use.
Some online examples of connection strings>
To see whether a SQL Server 2008 database can accept connections, look at the Collation property instead. I know how strange that sounds, but that's the documented way.
The ONLINE status may be returned while the database is being opened
and is not yet recovered. To identify when a database can accept
connections, query the Collation property of DATABASEPROPERTYEX.
For example, many database servers are set up to deny connections from all IP addresses except one. This is especially common in web-based setups; it's a fundamental security measure. In that case connecting like this (immediately below) would work. Code on the application server or web server tries to connect to the database server, and returns an error if it fails.
Your server --> Application server --> Database server
or workstation or web server
But connecting like this won't, because the database server is configured to accept connections only from the application server or web server.
Your server ----------------------------> Database server
or workstation
Application server
or web server
I am developing a application for a small user group and decided to use sql express.
So the design as normal is sql express will be hosted in one machine(as server machine) and users client app will connect to sql-express host machine for accessing db.
Now the problem is remote clients are not able to connect the db, but host machine can access the db. Can someone please help if you have tried this before ??
Connection string used is as below, do we need to change the connection string ?
Data Source=Hostname\SQLExpress;Integrated Security=true; AttachDbFilename=|DataDirectory|\mydb.mdf;User Instance=true;
Note: Users are not domain connected they are LAN connected.
The database service is probably not setup to listen on TCP port 1433 by default for security reasons. You need to use the configuration utility to enable remote access. You also need to make sure that port is not being blocked by a firewall. These instructions for SQL Server 2005 are useful.
If the users are not running under a domain account I believe you will have issues with authentication. You may want to add them to a domain, or enable SQL Server (password) authentication. After enabling this you can specify a username and password via the connection string. You need to make sure that the user exists and has access to the appropriate tables, views, or stored procedures.
By default, SQL Server does not permit remote connections. You need to change this via the Server Configuration Manager in the Start Menu.
I have built an application that uses SQL Express 2005 and I want to deploy it, but the problem is that anyone who has SQL Management Studio(or something like that) installed on his computer, can connect to my database and change it.
Is there anyway to prevent end-users from seeing or editing the content of my database, even those with the Administrator privileges?
I guess you're referring to the fact that by default SQL Server installs allow Windows and SQL Server Authentication. If you remove the Windows Authentication mode then users will have to connect via SQL Server authentication.
This from http://support.microsoft.com/kb/247931
SQL Server authentication SQL Server
authentication relies on the internal
user list maintained by the SQL Server
computer. This list does not include
Windows NT users, and is specific to
the SQL Server computer. Users are
created and configured using the SQL
Server Enterprise Manager. To use this
authentication method, perform with
the following steps:
• If you connect
through Open Database Connectivity
(ODBC), in the ODBC Administrator,
choose SQL Server authentication when
you configure the data source.
•In
the ActiveX Data Objects (ADO)
connection string, include the
parameters "UID" and "PWD" when you
use ODBC, and "User ID" and "Password"
when you use the SQLOLEDB provider.
I suppose this is not the answer you hoped for but it is unavoidable that anyone with administrative rights will be able to browse and edit information in the database.
You cannot change this.
Perhaps you could consider WHY you want to prevent this kind of access?
I expect you want to prevent tampering or accidental corruption of the data?
If that is the reason then you can go a long way to prevent corruption by adding constraints to your database. Add foreign key constraints, uniqueness constraints, everything that will help prevent data corruption.
Then an administrator would need to deliberately undo these constraints before they tamper, which would prevent most accidental corruption but of course not prevent malicious vandalism.
If you are concerned about protection of your intellectual property, you could encrypt the programmatic components (stored procedures and views and functions). This kind of encryption is not very strong but prevents casual inspection.
Encryption is added by using the
WITH ENCRYPTION
clause in your CREATE or ALTER statements.