I am building a database driven web application. The web application is basically an E-Voting website, where users can register and vote on things that concern their community … etc.
The database engine in use is SQL Server Express 2008. I know that my Domain Model and Application Code does not allow any silly security breaches, e.g. a User viewing the vote of other users … etc.
But that aside, are there things (free) I can do to make my database secure? So even if a hacker gets access to my Db, he can't do anything with it? or make it very hard for him.
I realise this question can be a little bit open ended, but some simple tips would be greatly appreciated.
Best Answer
Security is such a vast topic that it totally depends on your company's policies and the threat level you are trying to avoid.
You can use native asymmetric encryption in sql 2005 express as described in SQL Server 2005 Express Edition - Part 6 - Post Installation Configuration Tasks (Encryption) and SQL Server 2005 Security - Part 3 Encryption.
You can use master key encryption / cretificate / symmetric key. Read up : SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script
Also, you can secure sql server backups at file level or the entire disk as well if you are trying to stop a hacker that already has access to the database server by some third party softwares like BitLocker or open source T r u e C r y p t.
Brian Kelley has an interesting article on Implementing Encrypting File System (EFS) with SQL Server.
There is a white paper on SQL Server security best practices as well.