Do you worry that someone with devious plans could break
into your SQL Server database? If
not, you should because this may be a very real and dangerous possibility.
First, I’ll cite an example from a previous job to demonstrate how easy it is
to access a database.
Why a DBA might break into your database
I used to be part of a team that was responsible for an
enterprise application designed to run a pulp and paper mill. The software sold
for $1.2 million as the base price. As the customer selected various options,
the price went up in rather large increments. A sale of the application with
all features working could amount to $3 million. We didn’t create separate
executables for each possible configuration because that would have been a
nightmare. Instead, we created an encrypted procedure that read a table and
made the functionality available that the client had licensed.
The local DBA with even a little savvy and an Internet
connection could crack our code wide open in five minutes, gaining full
functionality of the application and thereby saving her firm at least a million
dollars. This is against the law, but some DBAs will
take the chance to save their companies such large sums of money.
How a DBA could decrypt your database
If you don’t buy into my scenario, then I encourage you to
try it. Create one or more stored procedures, views, and triggers with
encryption using the standard “with encryption” phrase. Then follow
the steps in this recipe, and see how easy it is to shatter your alleged
defense:
- Grab the
free SQL decryption tool from http://www.derkeiler.com/Mailing-Lists/Securiteam/2001-12/0101.html. - Install
it. - Run it
and choose the server and database of interest. (You must be able to log
in.) - Select
the procedures, views, and triggers you wish to decrypt. - Choose
a directory in which to save the decrypted files and click Save.
Protect your database with these resources
You must assume that a DBA will try to break into your
database. If the DBA succeeds, the vendor of the application may be out a
significant amount of money.
Simply adding encryption to your database will only protect
you from entry-level or inexperienced DBAs. If
encrypted procedures, views, and triggers are important to you and your firm
(and they should be), then you have no choice but to spend some money and
license real encryption, or to download one of the following alternatives (both
commercial and free) and beef up your encryption efforts.
- ActiveCrypt
- SQL
Encryption Toolkit: This free toolkit from Michael Coles
is in the form of stored procedures. - NetLibEncryptionizer for
SQL Server: You might want to consider this product if you want to
encrypt your data as well as your database objects.
Miss a column?
Check out the SQL Server archive, and catch up on the most recent editions of Arthur Fuller’s column.
TechRepublic’s free SQL Server newsletter, delivered each Tuesday, contains hands-on tips that will help you become more adept with this powerful relational database management system. Automatically subscribe today!
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
