hi Bobby,
[quoted text, click to view] Bobby wrote:
> We have been using VB.NET and MSDE 2000 for desktop application.
> The db is password protected
the db is not password protectd... the SQL Server login(s) password are not
exposed to the public (users, admins and so on..).... it is not possible to
wassword-protect a database...
[quoted text, click to view] >but if a client installed the actual SQL
> Server and got the db attached, they can find out everything about
> db. Attaching or connecting to db using Windows locally wont ask for
> password.
>
>
> Is there a better way to protect the db completely ?, please let me
> know
no, and you have to understand the "phylosophy" of authentication of SQL
Server...
SQL Server/MSDE is secure as long as you provide an accurate login logic...
SQL Server uses a so called "2 phase" authentication policy:
first an SQL Server Login or a Windows login must be created of granted
access to the SQL Server instance... at the server level a login can be made
member of none, 1 or all of the fixed server roles, which include "sysadmin"
role and so on...
you can choose between 2 authentication modes:
WinNT (trusted) connections or SQL Server authenticated connections... the
latter always requires full user's credential such as "User
Id=sa;Password=pwd", the password can be NULL so it must not be specified,
but I strongly advise you always to ensure strong passwords are present....
WindowsNT authentication, on the contrary, does not requires user's
credential becouse it's directly provided by Windows via the logins'ID
(sid), which authenticate user's login at the windows login step... SQL
Server only needs to verify that the corresponding login and/or group is
granted to log on the instance...
the second authentication phase is at database level, where each login will
be granted database access mapping to a database user... here access
permissions are set, as granting user/role SELECT/DELETE/EXECUTE (and so on)
privileges at an object level (or column level for tables and views)..
the mapping is performed in the JOIN database..sysusers.sid =
master..syslogins.sid , so the only link is the provided Login's sid, it's
Security IDentification number
so, the second phase regards a database security implementation... in order
to access a specified database the simple login existance does not provide
database access, but a (database) user must be mapped to the corresponding
login.. and is about verifying that at each object level (including
database, tables, views, columns, procedures and so on) the Login/User
association is permitted access to... please go on reading at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/admi... ,
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/arch...
and following chapters..
you can start reading about authentication modes at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_security_47u6.asp
other articles worth reading can be found at
http://www.sql-server-performance.com/vk_sql_security.asp
http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec03.mspx http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx but you can not password protect a database....
--
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtm http://italy.mvps.org DbaMgr2k ver 0.15.0 - DbaMgr ver 0.60.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
--------- remove DMO to reply
