I'm just thinking loud. I'm investigating if there are any suspicious
operations that have taken place on our databases by using Log Explorer from
Lumigent. All of a sudden, I thought that now that the databases are stored
on the server as physical files, hackers probably can just copy the files
(*.MDF, *.LDF) to their machines without connecting to and doing anything on
the SQL server itself, right? Would it be a common practice to get those
databases encrypted?
Bing
bing wrote:
> I'm just thinking loud. I'm investigating if there are any suspicious
> operations that have taken place on our databases by using Log
> Explorer from Lumigent. All of a sudden, I thought that now that the
> databases are stored on the server as physical files, hackers
> probably can just copy the files (*.MDF, *.LDF) to their machines
> without connecting to and doing anything on the SQL server itself,
> right? Would it be a common practice to get those databases
> encrypted?
> Bing
The files are kept locked by SQL Server while they are in use. How would
a hacker access the files anyway? Presumably, they are not made
accessible through Windows security to user accounts. If a hacker was
able to connect to the server as an admin, they could just stop the SQL
service and copy the database files.
David Gugick
Quest Software
www.imceda.com
www.quest.com
|||Hi,
You can use the Encrypted File System Support on Windows 2000
Windows 2000 support encrypted file system property.
Below are the steps encrypt the data files:
1) Logon with the SQL Server startup account
2) Stop SQL Server and sql agent service
3) Right click the data files, select properties, click Advance button,
check the "Encrypt contents to secure data"
4) Start the SQL Server service
See the below KB for more information:-
HOW TO: Encrypt Data Using EFS in Windows 2000
http://support.microsoft.com/dXefaul...;en-us;2305X20
Note:
If you change the SQL Server startup accout you have to redo the same,
otherwise SQL Server service will not start.
"With EFS, database files are encrypted under the identity of the account
running SQL Server. Only this account can decrypt the files. If you need to
change the account that runs SQL Server, you should first decrypt the files
under the old account, then re-encrypt them under the new account."
Thanks
Hari
SQL Server MVP
"bing" <bing@.discussions.microsoft.com> wrote in message
news:D338A20C-C191-4886-8520-35A876FFE926@.microsoft.com...
> I'm just thinking loud. I'm investigating if there are any suspicious
> operations that have taken place on our databases by using Log Explorer
> from
> Lumigent. All of a sudden, I thought that now that the databases are
> stored
> on the server as physical files, hackers probably can just copy the files
> (*.MDF, *.LDF) to their machines without connecting to and doing anything
> on
> the SQL server itself, right? Would it be a common practice to get those
> databases encrypted?
> Bing
|||Hi
If the hacker can get that far into your box, he owns every other server
already, has created himself a domain account, and has access to your SQL
Server via any tool of his choice. He has also let his 5 friends in, and
they are reading your mail before you do.
Secure your perimeter, apply proper permissioning at OS level that only SQL
Server and domain admins can touch the files on the OS. Make sure your
applications are not susceptible to SQL Injection and apply the least
permissions to users in the DB.
Regards
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@.epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"bing" <bing@.discussions.microsoft.com> wrote in message
news:D338A20C-C191-4886-8520-35A876FFE926@.microsoft.com...
> I'm just thinking loud. I'm investigating if there are any suspicious
> operations that have taken place on our databases by using Log Explorer
> from
> Lumigent. All of a sudden, I thought that now that the databases are
> stored
> on the server as physical files, hackers probably can just copy the files
> (*.MDF, *.LDF) to their machines without connecting to and doing anything
> on
> the SQL server itself, right? Would it be a common practice to get those
> databases encrypted?
> Bing
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment