Hi,
I'm a developer and in my applications I send commands to the SQL Server
databases to create, or recreate, Stored Procedures, Functions and Triggers.
Recently I realize that my clients, using SQL Profiler, could see the code
of that functions, SPs and Triggers, and even change it after they know it.
This means that my intellectual property is not safe, and the clients has
access to my source code.
I want to know if there is same way to encrypt the commands that I send to
any SQL Server database in order to not being seen at profiler, at least for
that kind of commands.
I notice that profiler automatically not show commands like sp_addlogin
stored procedures...
Thanks for your help,
Pedro GonalvesYou can encrypt the communications between you application and the server wi
th the use of SSL.
Several sources of information exists on using SSL with SQL Server:
Configuring SSL on Servers
http://www.microsoft.com/resources/..._certsetssl.asp
7 Steps to SSL Encryption
http://www.winnetmag.com/SQLServer/...6908/26908.html
HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server
http://support.microsoft.com/defaul...kb;en-us;276553
How To: Use SSL to Secure Communication with SQL Server 2000
http://msdn.microsoft.com/library/d.../>
NetHT19.asp
Are just a few to get you going on the subject.
Randy Dyess
www.Database-Security.Info|||Hi Randy,
Yes. It's a way. But the problem is that I can't control my clients SQL
servers. This is a way to encrypt comunications with YOURS database server.
As I sell aplications, that my clients install in their servers, I simply
can't do it. And even with SSL, I think that Profiler can access to the
t-sql commands.
I just want to garantee that several commands, the source code commands like
stored procedures and trigger, that my application send to the database to
create functionality, aren't seen by the client.
Have you an ideia for this?
"Randy Dyess" <anonymous@.discussions.microsoft.com> wrote in message
news:A9A67657-6E3D-4E9E-A281-18561C51A8E4@.microsoft.com...
> You can encrypt the communications between you application and the server
with the use of SSL.
> Several sources of information exists on using SSL with SQL Server:
> Configuring SSL on Servers
>
http://www.microsoft.com/resources/...ssl.asp
> 7 Steps to SSL Encryption
> http://www.winnetmag.com/SQLServer/...6908/26908.html
> HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server
> http://support.microsoft.com/defaul...kb;en-us;276553
> How To: Use SSL to Secure Communication with SQL Server 2000
>
> Are just a few to get you going on the subject.
> Randy Dyess
> [url]www.Database-Security.Info" target="_blank">http://msdn.microsoft.com/library/d...e-Security.Info
>|||To add to the other responses, SQL Profiler will hide text that contains
sensitive commands like 'sp_password'. Consequently, you can include a
comment with this text in the batches you want to hide like the example
below.
Note that object text encryption is basically just obfuscation. A
determined user could reverse engineer the object to view the source. To
protect your intellectual property, you should explicitly state in your
license agreement that reverse engineering of your application code,
including SQL objects, is prohibited.
CREATE PROC usp_EncryptedProcedure1
WITH ENCRYPTION
AS
--sp_password
SELECT 'this create will not appear in profiler'
GO
CREATE PROC usp_EncryptedProcedure2
WITH ENCRYPTION
AS
SELECT 'this create will appear in profiler'
GO
Hope this helps.
Dan Guzman
SQL Server MVP
"Pedro Gonalves" <anonymous@.microsoft.com> wrote in message
news:%23ZRLGYu$DHA.2336@.TK2MSFTNGP11.phx.gbl...
> Hi,
> I'm a developer and in my applications I send commands to the SQL Server
> databases to create, or recreate, Stored Procedures, Functions and
Triggers.
> Recently I realize that my clients, using SQL Profiler, could see the code
> of that functions, SPs and Triggers, and even change it after they know
it.
> This means that my intellectual property is not safe, and the clients has
> access to my source code.
> I want to know if there is same way to encrypt the commands that I send to
> any SQL Server database in order to not being seen at profiler, at least
for
> that kind of commands.
> I notice that profiler automatically not show commands like sp_addlogin
> stored procedures...
> Thanks for your help,
> Pedro Gonalves
>|||Just a small addition - if you really need good encryption of your objects,
onsider using a 3rd party tool like
http://www.ecatenate.com/dblockdown_product_info.html.
Dejan Sarka, SQL Server MVP
Associate Mentor
Solid Quality Learning
More than just Training
www.SolidQualityLearning.com
"Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message
news:uLnYMm5$DHA.2448@.TK2MSFTNGP12.phx.gbl...
> To add to the other responses, SQL Profiler will hide text that contains
> sensitive commands like 'sp_password'. Consequently, you can include a
> comment with this text in the batches you want to hide like the example
> below.
> Note that object text encryption is basically just obfuscation. A
> determined user could reverse engineer the object to view the source. To
> protect your intellectual property, you should explicitly state in your
> license agreement that reverse engineering of your application code,
> including SQL objects, is prohibited.
>
> CREATE PROC usp_EncryptedProcedure1
> WITH ENCRYPTION
> AS
> --sp_password
> SELECT 'this create will not appear in profiler'
> GO
> CREATE PROC usp_EncryptedProcedure2
> WITH ENCRYPTION
> AS
> SELECT 'this create will appear in profiler'
> GO
>
> --
> Hope this helps.
> Dan Guzman
> SQL Server MVP
> "Pedro Gonalves" <anonymous@.microsoft.com> wrote in message
> news:%23ZRLGYu$DHA.2336@.TK2MSFTNGP11.phx.gbl...
> Triggers.
code
> it.
has
to
> for
>|||Thanks Dan, this is what I needed.
"Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message
news:uLnYMm5$DHA.2448@.TK2MSFTNGP12.phx.gbl...
> To add to the other responses, SQL Profiler will hide text that contains
> sensitive commands like 'sp_password'. Consequently, you can include a
> comment with this text in the batches you want to hide like the example
> below.
> Note that object text encryption is basically just obfuscation. A
> determined user could reverse engineer the object to view the source. To
> protect your intellectual property, you should explicitly state in your
> license agreement that reverse engineering of your application code,
> including SQL objects, is prohibited.
>
> CREATE PROC usp_EncryptedProcedure1
> WITH ENCRYPTION
> AS
> --sp_password
> SELECT 'this create will not appear in profiler'
> GO
> CREATE PROC usp_EncryptedProcedure2
> WITH ENCRYPTION
> AS
> SELECT 'this create will appear in profiler'
> GO
>
> --
> Hope this helps.
> Dan Guzman
> SQL Server MVP
> "Pedro Gonalves" <anonymous@.microsoft.com> wrote in message
> news:%23ZRLGYu$DHA.2336@.TK2MSFTNGP11.phx.gbl...
> Triggers.
code
> it.
has
to
> for
>|||Pedro,
There is no good solution I'm afraid. Anything you encrypt there are ways o
f
decrpyting. If you want to protect your work/ideas/code then do that with a
legally binding agreement that customers have to sign.
Neil Pike MVP/MCSE. Protech Computing Ltd
Reply here - no email
SQL FAQ (484 entries) see
http://forumsb.compuserve.com/gvfor...p?SRV=MSDevApps
(faqxxx.zip in lib 7)
or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
or www.sqlserverfaq.com
or www.mssqlserver.com/faq|||The next version of SQL Shield (www.sql-shield.com) will include protection
from the profiler. Currently this program protects stored procedures from
decryption by cracking tools.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment