Sql-server – SQL Server 2005 and Standalone VB application

Securitysql server

I'm new to this forum and just want to ask some questions/suggestions on how to manage my database..

I'm having an application with sql server 2005 database as a backend.
I want make the application standalone, the application is installed along with an sql server 2005 installer, so I don't have any control on my app when it is deployed/installed in other computers.
I have my app working fine, but the database is not secure if ever the app is installed on other computer.

Now here's the scenario. (if the user is a techie guy and wants to dig things up)
The user installs sql server 2005.
The user installs the app.
The user can see the database via windows explorer (database is .mdf file)
Opens up SQL Server, uses windows authentication.
Attaches the database, and tada! Instant access to the database.
Now he can freely modify the contents of the database without the use of the app.

So how can I solve this? Is there any possible ways to avoid this? Any suggestions?
Take note that I can't control the application because it is installed on a different place
P.S., I'm quite new to this, actually this is my first project on a company 🙂

Best Answer

So there a couple thoughts here from my end. And I think they probably follow an order:

The first principle is - you will never secure your MDF file from being looked into by someone with SQL savvy. There are ways around most of what you can do. If you are deploying this application to a customer, and that customer has enough SQL knowledge and you've given them a data file - they can do what they like with it ultimately.. This principle rules all of the others.
Support contracts and license agreements protect you legally here - that is outside the scope of this format. But you have to trust the folks buying your app to honor their support agreements and EULAs. Every vendor out there has to do that same thing.
You can, however, do things like encrypt data in tables and encrypt/decrypt it in and out from your application. This can help protect data, but it isn't foolproof. Someone can try and attach a debugger, dig into the traffic and try and get a sense for what is going on.
You can encrypt your stored procedures to protect the stored procedure code - again this isn't full proof (remember Principle #1 rules them all here)

So there are things you can do, but the biggest question that I would ask if I were you is:

Why?

What I mean is - what is your goal? Customers see databases all the time. In fact as a DBA and Consultant with 15 years of experience, I can honestly say that 90% or more of the databases I work with are wide open to the folks who purchased the application. If they want to, they can certainly play with the data in their database directly. Most of them don't because they like support contracts to remain valid. Some of them do because their vendors are pains to work with and don't give common sense support and updates.

So you should check your motives. If you've made software that someones wants to buy, and they've paid for it and deploy it locally following your instructions and have entered into an agreement with you - why would they want to build their own app? And if they do? What is the harm? Charge enough money and make your agreement strong enough that if they do it is a non-issue.

Also - Is this a new application? SQL Server 2005 is 3 versions back from the currently released version (SQL Server 2012) and a new release (SQL Server 2014) is right around the corner.

You also said "the application is installed along with an sql server 2005 installer, so I don't have any control on my app when it is deployed/installed in other computers"

With the right installers and install procedures you should have control over how the application is installed. There is actually a lot in your question sort of behind the question that is hard to answer in this forum without a lot of back and forth. Some of the questions that come to mind are around areas like "How does your app install? Is there an installer app?", "What are the instructions for the installation and use of SQL Server?" "Are there configuration files in place to help determine where things get placed and how to connect to the database?", "Do you provide guidance to the customer on best practices for deployment?"

Don't answer those questions here - they are out of scope, but those are some of the questions you should be asking yourself as you go on this quest. I would recommend reading up on SQL Server application development and spending more time learning about deploying applications in general. I can't think of a good reference right now - but perhaps someone can add an answer with some. There must be something on msdn.com that can help here.

Related Solutions

Sql-server – How to restore a SQL Server database along with a standalone application

Good deal with getting the connection string out. Based on that and the error it looks like you'll need to change some things around with your SQL config.

First, SQL 2012 does not support the database compatibility level for SQL Server 7. You'll need to go back down to at least SQL Server 2005.

Based on that connection string info the app is for a SQL server named SCFRANGOS. You can try to create a host entry for SCFRANGOS on the machine you're running the app from and give it the IP of your SQL server, or create it in DNS.

The database name you need to use FVBraganca. Since you have both the mdf (data) and ldf (log) you can try to reattach the database to your SQL Server.

You also need to create a local user on the server and name it usuario. Then you need to create a Windows login on the SQL server for usario and that login needs to be added to the FVBraganca dabase as a user.

Alternatively, if you're comfortable with editing the binary you could edit your own connection information into the exe.

Steps:

Install SQL Server 2005 or earlier on your server. You can download SQL Server 2005 Express from here. Again, SQL 2005 is the newest version you can use that will support the SQL 7 database format.
Make sure the server where SQL Server is installed can be resolved as SCFRANGOS on your network from wherever you are running the application. You can add a host entry or an alias in DNS. Or you can add an entry in the hosts file where you will run the application (c:\windows\system32\drives\etc\hosts typically). When this step is complete you should be able to receive replies when doing a ping SCFRANGOS from the machine where you want to run the application.
Attach the database and name it FVBraganca. Connect to SQL Server and run this (assuming your mdf and ldf files are in c:\myapp and are called myapp.mdf and myapp_log.ldf):

CREATE DATABASE FVBraganca
ON (FILENAME='c:\myapp\myapp.mdf'),
(FILENAME='c:\myapp\myapp_log.ldf'),
FOR ATTACH; GO
Create a user called usario on the server where SQL Server is installed. Instructions are found here.
Create a login in SQL Server for the user created above

CREATE LOGIN [myserver\usario] FROM WINDOWS
GO
Add the new login as a user of the database. If the user already exists you'll need to remove it first so you don't have a mismatch of the security identifiers. The existing user will have the security identifier tied to it from the original SQL Server where the database was last used.

USE FVBraganca
GO
DROP USER usario
GO
CREATE USER usario FOR LOGIN usario
GO
Since you don't know what the user needs access to yet you might just want to grant it dbo access to the database. This is typically not a good idea but in this case it'll be easier until you know for sure what objects in the database the application uses.

sp_addrolemember @rolename='db_owner', @membername='usario'

That should be it. As long as the database attaches cleanly I think this should get you going.

Sql-server – Backup failure in SQL Server 2005

Well, suppose you have a command to execute your backup like this

BACKUP DATABASE [naass] 
TO  DISK = N'C:\program files (x86)\Microsoft SQL Server\MSSQL.3\MSSQL\Backup\Naass.bak'' 
WITH NOFORMAT, INIT,  
NAME = N'naas-Complete Database Backup', 
SKIP, NOREWIND, NOUNLOAD,  STATS = 10

this will fail if the process that executes this command doesn't have the permissions to write in the mentioned folder. And Windows 7 (for very good security reasons) keeps the C:\program files folders and its subfolders write locked also to an administrator account.

You could mess with the default permissions and give to your folder above write permissions for your account but of course this is not the recommended way.
Much better, simply change the script to work on a different directory on your disks.

BACKUP DATABASE [naass] 
TO  DISK = N'D:\BackupSQL\naass.bak' 
WITH NOFORMAT, INIT,  
NAME = N'naas-Complete Database Backup'
SKIP, NOREWIND, NOUNLOAD,  STATS = 10

Of course this new directory should have the correct permissions.

Best Answer

Related Solutions

Sql-server – How to restore a SQL Server database along with a standalone application

Sql-server – Backup failure in SQL Server 2005

Related Question