locked
FILESTREAM - Protect Files from direct NTFS Access RRS feed

  • Question

  • I am configuring FILESTREAM stream. I want no one to see the files, incuding windows admin. How do I achieve this?

    OR

    Can I encrypt the file using .Net? My application will be based on asp.NET.

    • Moved by Kalman Toth Tuesday, March 5, 2013 5:28 PM Not db design
    • Moved by Sethu Srinivasan Friday, March 8, 2013 8:48 PM filestream security
    Tuesday, March 5, 2013 9:15 AM

Answers

  • Allen,

    We are storing very confidential documents in filestream. My client wants no once access these files exept for the owner of the file. These files would be uploaded from asp.Net web page. I am thinking of encrypting these files before coming to filestream(becoz SQL Server doesn't support Filestream encryption).

    I am not sure if I can directly encrypt the binary file. So I am planning to enode to Base64 and encrypt the Base64 value of the file.

    Please advice..

    Wednesday, March 6, 2013 8:15 AM
  • Yes, encrypting the data before it hits SQL Server is probably a good idea. As for how you best to that, is a question for a different forum.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Friday, March 8, 2013 10:56 PM

All replies

  • Hi gnans19,

    Only the account under which the SQL Server service account runs is granted NTFS permissions to the FILESTREAM container. We recommend that no other account be granted permissions on the data container. Usually, Windows administrator has permission to access the local file and change some settings, of course, he/she can access SQL Server related folders, change SQL Server configuration, even uninstall SQL Server instance. So I don’t think it is a good option to restrict the system user on an application side (SQL Server), it is better that this kind account should only be given to very little amount of people.


    Allen Li
    TechNet Community Support

    Wednesday, March 6, 2013 7:48 AM
  • Allen,

    We are storing very confidential documents in filestream. My client wants no once access these files exept for the owner of the file. These files would be uploaded from asp.Net web page. I am thinking of encrypting these files before coming to filestream(becoz SQL Server doesn't support Filestream encryption).

    I am not sure if I can directly encrypt the binary file. So I am planning to enode to Base64 and encrypt the Base64 value of the file.

    Please advice..

    Wednesday, March 6, 2013 8:15 AM
  • Yes, encrypting the data before it hits SQL Server is probably a good idea. As for how you best to that, is a question for a different forum.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Friday, March 8, 2013 10:56 PM