Do you worry that someone with devious plans could break
into your SQL Server database? If
not, you should because this may be a very real and dangerous possibility.
First, I’ll cite an example from a previous job to demonstrate how easy it is
to access a database.

Why a DBA might break into your database

I used to be part of a team that was responsible for an
enterprise application designed to run a pulp and paper mill. The software sold
for $1.2 million as the base price. As the customer selected various options,
the price went up in rather large increments. A sale of the application with
all features working could amount to $3 million. We didn’t create separate
executables for each possible configuration because that would have been a
nightmare. Instead, we created an encrypted procedure that read a table and
made the functionality available that the client had licensed.

The local DBA with even a little savvy and an Internet
connection could crack our code wide open in five minutes, gaining full
functionality of the application and thereby saving her firm at least a million
dollars. This is against the law, but some DBAs will
take the chance to save their companies such large sums of money.

How a DBA could decrypt your database

If you don’t buy into my scenario, then I encourage you to
try it. Create one or more stored procedures, views, and triggers with
encryption using the standard “with encryption” phrase. Then follow
the steps in this recipe, and see how easy it is to shatter your alleged

  1. Grab the
    free SQL decryption tool from
  2. Install
  3. Run it
    and choose the server and database of interest. (You must be able to log
  4. Select
    the procedures, views, and triggers you wish to decrypt.
  5. Choose
    a directory in which to save the decrypted files and click Save.

Protect your database with these resources

You must assume that a DBA will try to break into your
database. If the DBA succeeds, the vendor of the application may be out a
significant amount of money.

Simply adding encryption to your database will only protect
you from entry-level or inexperienced DBAs. If
encrypted procedures, views, and triggers are important to you and your firm
(and they should be), then you have no choice but to spend some money and
license real encryption, or to download one of the following alternatives (both
commercial and free) and beef up your encryption efforts.

Miss a column?

Check out the SQL Server archive, and catch up on the most recent editions of Arthur Fuller’s column.

TechRepublic’s free SQL Server newsletter, delivered each Tuesday, contains hands-on tips that will help you become more adept with this powerful relational database management system. Automatically subscribe today!