tags:

views:

20

answers:

2
Q: 

How do I secure the data in my winform's SQL 2005 Express database?

I have a c# winform application that uses SQL 2005 Express. The application creates math and reading quizzes and is marketed to parents of school-aged children. The parents purchase and download SQL files containing quizzes from my website and install them in the application (which is installed on their child's computer).

I have two SQL security concerns:

(1) Some children may not want the quizzes to appear on their computer, so they may try to (a) delete the SQL database or (b) disable the application by changing values in the database.

It seems to me that anyone with SQL Server Management Studio Express can easily change the contents of the database.

Therefore, what can be done to prevent this (other than recommending to the parent that they do not let their children use an administrator account)?

(2) My only revenue will be the sale of the quizzes, so I want to protect this data from being copied and shared. How can I do this given (a) that the files need to be downloaded from my server to the child's computer and then installed and (b) and then once installed, they are just residing on the child's computer.

It seems to me that anyone with SQL Database Publishing Wizard can easily copy the contents of the database.

Is it possible to only allow my application to access the SQL database? Is it possible to restrict everyone else from accessing it (even people using Windows administrator accounts)?

Currently the install script for my application creates a new instance of the SQL 2005 Express server just for my application and it uses Windows Authentication.

I have read several SQL security posts here on Stackoverflow and elsewhere but I am not yet able to figure this out.

A: 

From a wonky hacker point of view, the parents are screwed. This is because their children have physical access to the computer. Theoretically they can attack it every which way.

Now, let's go with what is more likely.

You identified that not giving the kids administrator access makes a big difference. But if you're saying that is out of reach of most families, so is SQL Management Studio. You can make a bet that kids aren't going to go get this and install it.

However, in the end, you would probably be better off with some good old fashioned obfuscation. Instead of using something like SQL Management Studio, where there are freely available tools out there to modify and prevent these quizzes from showing up or whatever other attacks are available, you create your own file formats and hope most kids would give up when they see binary gobbledy-gook.

If they are going to give up on that, many might give up on SQL Express. That said, kids are pretty resourceful and some might be willing to follow step by step instructions they searched for on Google to defeat your software.

It sounds like you are deploying these quizzes onto SQL Express instances that are on machines not under your control. They aren't your machines anymore.

I don't want to say "you can't do what you are asking" but you are asking how to prevent someone from using administrator tools to defeat your software. I think my answer is "you can't". You have to reexamine your design or just go with the idea that most kids won't go so far.

Chris Gomez  2010-10-20 17:32:57
Thanks Chris, you and JohnFly are making the same point, which is that I can't really protect my database once it is deployed.
Frederick  2010-10-21 20:30:24
A: 

You could use encryption on your quiz data.

http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net

The flaw in this is your application would have to have the encryption/decryption key in its code, so someone could still gain access to it through a recompilation tool or something like reflector.

The real answer is that protecting your application for everything is nearly impossible. Just think about the huge companies and their protection techniques, Microsoft, Adobe, etc... they all have a problem with piracy.

Also, if your application is good enough for lots of people to pirate, you will most likely have a good number of legitimate sales.

Until then, I wouldn't worry about it too much, and just take a few small precautions that don't interfere with your workflow too much.

JohnFly  2010-10-20 17:39:33
Yes, I suspect you are correct in that it is impossible to protect your application from everything. I will use encryption on some of my data columns and leave it at that for now. Thanks for the advice.
Frederick  2010-10-21 20:25:26

related questions

ADO SQLServer dbGo generates a EAccessViolation
How to list SQL 2005 Express instances
HOW TO: Umbraco 4.0 with Microsoft SQL Server 2000
How to change identity column values programmatically?
Adding a database to my Visual Studio 2008 project says I need sql server express?
Trouble setting up witness in SQL Server mirroring scheme w/ error
'System.Web.Security.SqlMembershipProvider' requires a databse schema compatible with schema version '1'.
Is there a simple tool for adding users to a SQL Server database?
How to set the default author name in MS SQL 2005 stored procedure template in management studio?
TCP Ports when Web Server communicates with SQL Server Express
SQL Express remote access
Continuous database backups?
Bind DropDownList into DataGrid Header
How can I view the contents of sql binary data fields?
Error Opening CrystalReport viewer
What do you use to Profile SQL Server 2005 Express?
InvalidOperationException when executing SqlCommand with transaction
Upgrading SQL Server 2005 Express to SP3
Accessing SQL Server Express 2005 database via 2008 64bit SSMS
Changing ASPNETDB name
SQL Server Express Idle Mode Partial Data Returns?
SQL Server 2005 Express in VMware causing very high CPU load
How do I manage version control when developing with SQL Server Express?
SQL 2005 Express Edition - Install new instance
SQL2005 Express slow from remote VB6 application