tags:

views:

90

answers:

1
Q: 

How safe are SQL Server 2005 MDF files? (re: security)

We've started using SQL Server 2005 Express for a project and I noticed that every database has it's own MDF/LDF files. Whenever we need to duplicate our database (to another SQL Server) we simply copy these files and then attach them to the database.

However, this has me wondering about the security of these files. If somebody from the outside gets a copy of them are they encrypted or can they simply attach to them like I'm doing? I'm not prompted for any passwords when I copy/attach them myself so I'm a bit nervous.

Thanks, John

+1  A: 

They are not encrypted and can be loaded/attached by any person with read access to the MDF/LDF files.

There are a couple of approaches you can take if the actual MDF files need to be protected. (This assumes that merely using file permissions to lock down access isn't feasible, for example if you need to protect against users with Administrative rights to the machine or direct HDD access.)

  1. Use EFS or BitLocker or similar to encrypt the files themselves. This won't protect against other applications in the same session/context accessing the files, but it will protect against other accounts accessing the files (EFS) or someone stealing a laptop/hard drive (EFS/BitLocker).
  2. Encrypt the sensitive data within the database itself. You will obviously want to store the encryption key separately (possibly using DPAPI to protect it, for example). SQL Server 2008 Enterprise Edition introduces a feature called Transparent Database Encryption (TDE) to make this process easier, which obviously doesn't help much for 2005 or Express Edition, unfortunately. Your best option in this case might be to do custom encryption of sensitive data in your app. (Unfortunately in 2005 this will require either using varbinary fields or Base64-encoding encrypted values etc.)
  3. Don't store the data locally in the first place (i.e. use a remote SQL Server rather than a local Express instance). That doesn't truly solve the problem, but it reduces it (you only need to protect the remote instance rather than N local/express copies).
technophile  2010-02-02 18:39:43
Thanks! Does the full feature SQL Server 2005/2008 work the same way? (ie. if somebody had access to the file system then they can access your entire database?)I'm not too familar with EFS/BitLocker but I'll take a look at them but we'll probably end up limiting access to the hard drive and using a simple encryption algorithm inside our data-access DLL.
SofaKng  2010-02-02 18:46:42
Just wanted to add that you need to encrypt the backups as well. Many of the times that large amounts of data have been stolen it was from an unencrypted backup tape which is easier to steal than to detach and make a copy of a database file (users being likely to notice that you detached the database).
HLGEM  2010-02-02 18:47:02
No one except the dba should have the rights to copy move or delete files on your production server. Plus you need to detach the database to copy the file.
HLGEM  2010-02-02 18:48:17
@SofaKng: Yes, the full feature works the same way (except for 2008 Enterprise Edition with TDE).@HLGEM: That's tough to do when using SQL Server *Express*, which generally runs on end user PCs.
technophile  2010-02-02 18:53:07

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?