Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
rypi
Yak Posting Veteran
55 Posts |
 Posted - 2011-05-18 : 18:17:23
|
| I have a sql 2008 database that is accessed via an asp.net application. There is some sensitive info in the DB and want to ensure that data won't be compromised.I was going to use SSL and encrypt the DB with TDE.I haven't had to implement this level of security before and wanted to get some feedback. Do you think SSL and TDE will provide adequate security?Any other suggestions?Thanks. |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2011-05-18 : 22:27:44
|
| It really depends on what you are trying to protect against.TDE is mainly protection against file level attacks on the database files and backup files. Anyone with enough access to the SQL server will be able to see the data via SQL queries, just like a database that is not encrypted.CODO ERGO SUM |
 |
|
|
rypi
Yak Posting Veteran
55 Posts |
Posted - 2011-05-19 : 02:06:40
|
| Well, I guess I am trying to protect against pretty much everything,it's confidential data. I know no system is 100% secure, but I would like to get as close as possible.I know it's an extremely broad topic, but what would you recommend? |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2011-05-19 : 10:35:36
|
| I recommend starting with the basic SQL Server security practices to make sure the data is not available to exploits, especially from the application.Assuming an n-tier application:Make sure the application uses windows authentication to connect to the database. Do not allow application logins to have any elevated access to the server or database, like sysadmin, db_owner, db_datareader, db_datawriterDo no allow application logins or user defined database roles to have any direct access to tables or views.Use database roles to control access to database objects, and add application logins only to the necessary roles.Use stored procedures for all access to data from the application and make sure that roles have access only to the procedures that they require.Do not allow any use of user input to form SQL statements (the primary source of SQL injection)Do not allow developers to have any access to the server or database.Do not allow end users of the application to have any direct access to the database and make sure all access comes through the application.On last thing: Don't put any login in the sysadmin or other server role that doesn't absolutely need to be there.CODO ERGO SUM |
|
|
|
rypi
Yak Posting Veteran
55 Posts |
Posted - 2011-05-19 : 16:09:04
|
| I am using forms authentication and am connecting to the database with via an encrypted connectionString in my web.config.The user and pass are in the connection string but are encrypted. All of the db transactions are handled using that user. Is this okay?The login requires the ability to do inserts, updates, selects, and deletes. What server role and User Mappings (role memberships) should I have enabled?Thanks for all your help so far, it's been a great help! |
|
|
|
|
|
|
|
|
Encryption and security