none
SQLExpress security

    Question

  • hello,

    i have a question. ive bundled my DB with normal windows authentication mode in a setup file and would be installing it at my clients place. is it safe or is there anything that i need to do so that the client does not tamper with the DB.

    Secondly, do i need to to install MSSQL at client system for my project to work??

    rgds


    HV

    Friday, March 02, 2012 5:07 PM

Answers

  • 2. Public connetionString As String = "Data Source=.\SQLEXPRESS;Initial Catalog=t_sang_d;Integrated Security=True" (but i would like to change this connection string to make it secure so that the user does not tamper with this)


    This is really probably as secure as you can make a connection string to log onto a local instance of SQL Server, especially if the instance is configured for Windows auth only (mixed mode off).  While it will probably prevent users who do not have administrative privs on the server or box from messing something up, I think anyone with an admin account to the instance or to the box would be able to access the database files by setting a new password for the admin account and logging in as the admin.
    • Marked as answer by Hari Vaag Wednesday, March 14, 2012 3:16 AM
    Tuesday, March 13, 2012 8:08 PM

All replies

  • Hello,

    Interesting but huge question.But to help you , we need more informations.

    1) Please, could you tell you what is the version of SQL Server Express that you are using ( 2005,2008,2008 R2,2012 )

    2) Please, could you provide the connection string used to connect to the database ( just in case of user instance ) ?

    3) Please, could you tell us what is the type of application ( WinForms,ASP.Net,...)  you are installing ? ( also the language used to develop your application )

    4) Please, are your application and your database used alone or collaborating with other databases installed with your application ? 

    Your 2nd question seems easy to answer : i would say yes if the database is used in user instance. If the database can be accessed remotely  : no ( in the case of a database which is not private to a given computer and which can be accessed remotely ).

    We are waiting for your feedback to try to help you more efficiently

    Have a nice day


    Mark Post as helpful if it provides any help.Otherwise,leave it as it is.

    Friday, March 02, 2012 7:15 PM
  • Thanks Mark

    below are the answers to your ?s

    1. SQLEXPRESS version is 2005

    2. Public connetionString As String = "Data Source=.\SQLEXPRESS;Initial Catalog=t_sang_d;Integrated Security=True" (but i would like to change this connection string to make it secure so that the user does not tamper with this)

    3. type of application is winforms developed in VB.net

    4. standalone

    Also about your answer to my second question, im still not clear, if i have to install SQL in client system, then how do i do that as i would be giving a setup file to my client

    rgds


    HV

    Saturday, March 03, 2012 5:13 AM
  • Hello,

    I will try to answer your both questions in an understandable way.

    1) SQL Server Express is an old version of which the life is finishing. I would suggest you to test your application version versus a SQL Server 2008 R2 or (better) SQL Server Denali (2012) as soon as this last one will be released ( it is only a question of weeks ). A little remark about SQL Server 2005 Express : the SQL Server Management Studio Edpress Edition ( SSMSEE for 2005 ) is a plea : it forbids any upgrade towards a more recent version of SQL Server ( there is a thread about from Mike Wachal explaining the origin of the problem ). It is an excellent reason to jump quickly to the a newer version.

    2) Your connection string is good but i don't know how it has been built and where it has been created. It depends whether you have used the Visual Studio features to create it or not ( have you used the Data source menu of Visual Studio ? If yes, your connection string should be stored in the app.config file , so visible to everyone and modifiable by everybody . It can be crypted but it is a problem which should be treated in another forum ). For myself, i prefer to use the SqlConnectionStringBuilder class from the namespace System.Data.SqlClient to build the connection string, more code to write but you hide your connection string ). As you are using Window authentification to connect to the SQL Server Express, there is  ( in theory ) no security problems. If i asked you this question, it is only because i was fearing the use of user instances.

    3) To embed the install of SQL Server Express in your application, i would suggest this old link : http://msdn.microsoft.com/en-us/library/bb264562(SQL.90).aspx . I think that i have seen other articles about this common subject , but i need some more time to do some research.

    Don't hesitate to post again for more help or explanations.

    Have a nice day

    PS : A little remark , you wrote Hello Mark , but i am known on the forums as Papy Normand and my 1st name is Patrick. You have the choice, no problem for me ( i am not doing any reproach, it is only a little information )


    Mark Post as helpful if it provides any help.Otherwise,leave it as it is.

    Saturday, March 03, 2012 9:47 AM
  • sorry patrick,

    i read "mark post as helpful......" and i was thinking about a solution to all this :-) really very sorry about it

    coming back to my doubt, where can i find SQL Server 2008 R2 and is it free..... also how do i replace my sql 2005(sqlexpress with SQL Server 2008 R2) kindly help me with this please.....

    rgds

    hari vaag


    HV

    Saturday, March 03, 2012 1:50 PM
  • hi patrick,

    how do i deploy SQL in my setup file so that i do not have to explicitly install SQL....

    rgds


    HV

    Saturday, March 03, 2012 1:57 PM
  • Hi hari,

    You can only install SQL Server express shared features and other features, there is no need to install instances. And then detach the database from the old server and attach it on your client.

    Please see: Detaching and attaching database http://msdn.microsoft.com/en-us/library/ms190794(v=sql.90).aspx


    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, March 13, 2012 7:25 AM
  • 2. Public connetionString As String = "Data Source=.\SQLEXPRESS;Initial Catalog=t_sang_d;Integrated Security=True" (but i would like to change this connection string to make it secure so that the user does not tamper with this)


    This is really probably as secure as you can make a connection string to log onto a local instance of SQL Server, especially if the instance is configured for Windows auth only (mixed mode off).  While it will probably prevent users who do not have administrative privs on the server or box from messing something up, I think anyone with an admin account to the instance or to the box would be able to access the database files by setting a new password for the admin account and logging in as the admin.
    • Marked as answer by Hari Vaag Wednesday, March 14, 2012 3:16 AM
    Tuesday, March 13, 2012 8:08 PM