 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / March 2006How to protect a db from an sa user fetching its schema
On a customer-owned SQL Server 2000, we've got our db placed, together with other software vendors databases. How can we protect from that the customer and\or the other companies from fetching the db schema of our db? All parties are allowd to login with the sa account. Can we by any means configure our db such that only we can access the schema, and the sa can not? Must all parties (companies) be given individual logins? Then, what about the sa account? Using this, one is still entitled to the schema of all databses, right? Any web page were I can read about this? Magnus Hi http://vyaskn.tripod.com/sql_server_security_best_practices.htm --------security best practices > On a customer-owned SQL Server 2000, we've got our db placed, together > with other software vendors databases. How can we protect from that the [quoted text clipped - 11 lines] > > Magnus > On a customer-owned SQL Server 2000, we've got our db placed, together > with other software vendors databases. How can we protect from that the [quoted text clipped - 7 lines] > the sa account? Using this, one is still entitled to the schema of all > databses, right? Members of the sysadmin fixed server role (which includes the built-in user sa) cannot be denied access to anything in SQL Server. But you don't have to be sa to read the schema of a db, because the public role has select permissions for sysobjects, syscomments and the rest of the system tables. All aspects of schema can be extracted from there. You can stop non-sa users from browsing your tables, using stored procedures or views and delegation/inheritance, but that may take a fair amount of work, depending on your app, and can't be used with stored procedures that dynamically generate the SQL they execute. You can also encrypt your stored procedures, views, udf's, triggers, user types and rules, which will keep everyone -- even sa -- from reading or altering their definitions. There must surely be a way to crack it, for users with enough skill and time, but this will keep the honest people honest at the very least. As for your table structures, as I implied above, they are, afaik, conventionally unprotectable... otoh, how proprietary could they possibly be? -Mark > Any web page were I can read about this? > > Magnus >> On a customer-owned SQL Server 2000, we've got our db placed, together >> with other software vendors databases. How can we protect from that the [quoted text clipped - 18 lines] > You can stop non-sa users from browsing your tables, using stored > procedures or views and delegation/inheritance, Oops, I meant impersonation, of course, not inheritance. -Mark > but that may take a fair amount of work, depending on your app, and can't > be used with stored procedures that dynamically generate the SQL they [quoted text clipped - 15 lines] >> >> Magnus |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.