Just a model case. Provided the SQL Server 2008 R2 Enterprise database is encrypted with the TDE. Someone starts the machine from Linux live CD, resets the local user/admin password and boot into Windows 8.1. Will this allow them to access the database data, to encrypt them?
If it is possible to get the access like that for a local account could it somehow help to start using Microsoft Account? Or the local administrator account will be still the risk for Linux access, even if disabled? And the only option how to protect the database data on "workstation/laptop" is to encrypt the whole drive?
TDE only protects the databases from being attached to another server (i.e., the hard drive gets stolen, the files get detached and mounted on another server). In the scenario you describe, TDE will NOT prevent access to the data.
Related
I've got on the same computer (Win server 2012 R2 Datacenter) a web app being built on ASP.NET and a SQL Server 2017. Goal is to secure sensitive data on the database in case someone gains access to this computer. I've used Always Encrypted feature to encrypt columns with sensitive data and the according certificate is being stored to the \Certificates(Local Computer)\Personal\Certificates location.
Is there a way to prevent (password protect for example) an active windows user to access this certificate and export it?
To achieve your goal "to secure sensitive data on the database in case someone gains access to this computer" you should not consider keeping your certificate in the same machine (or) server.
You need to maintain the certificate in a Centralized Key Stores like Azure Key Vault
Please see my detailed answer here
I have two databases on the same SQL server. One for an ERP database that I am able to read tables and one I created in MS Access. A store procedure on the MSAccess database is updating some tables from the ERP DB. The MS Access DB from here on is independently running.
When I installed on other computers, the Access Database is giving me a connection error when I am logged in as another user than myself.
- Are permissions from the ERP database affecting me in my Access Database? Should I worry about them?
- Is Windows Authentication enough to make the connection happen?
- Do I need to Map the users over from the ERP database?? if so, how do I do it?
- Can I grant every user on the Server permission to access my tables using Windows Authentication? do I need to go down this road? How do I do it?
I am just not too sure what to do from here on. Here is some more information about the issue.
-In my database I have a ODBC stringconnection that looks like this:
Driver={SQL Server Native Client 11.0};Server=SERVER;Database=DATABASENAME;Trusted_Connection=yes;
-I am packaging an exe file using SSESETUP which is awesome.
-I am installing on the new computer and able to launch when I am logged on as myself however, I am getting a connection error when I am logged in as another user on the same computer. (Note: I am not able to debug from here on and see the vba because I am running under Access runtime 2013 only.)
I would appreciate if someone can assist me in narrowing my search for a solution.
Bottom line, it sounds like you need to set up database permissions on your SQL Server for each Windows account that will be using your Access db.
Here are specific answers to your questions:
Are permissions from the ERP database affecting me in my Access
Database
Yes, of course they are. Regardless of how you connect to the database the permissions will always be in effect.
Should I worry about them?
Yes, of course you should. Otherwise you won't be able to work with the data.
Is Windows Authentication enough to make the connection happen?
To make the connection, yes. SQL Server supports Windows authentication in both security modes (Windows only and mixed mode). But, this is just the connection. You also need to take the database permissions into consideration. Your Windows login needs to be granted the appropriate permissions within the specific database in order to do anything.
Do I need to Map the users over from the ERP database?
Map to what? Access? Based on the connection string in your question you're using Windows authentication to connect Access to SQL Server, so Access will connect to SQL Server under the security context of whoever is running Access. So the SQL Server permissions will need to be configured for each user who will be running your Access db.
Can I grant every user on the Server permission to access my tables
using Windows Authentication?
Access to the SQL Server tables? Sure, you could. But you should limit it to only the necessary permissions. Granting access for everyone is likely overkill and not best practice.
How can I deploy Access applications to multiple companies, with linked tables to SQL Azure servers?
I'm planning to deploy the Access programs with Microsoft Access runtime, and I'm assuming that I'll need to include the odbc drivers as well? Is there a way to automatically have Azure create a new server when a company signs into my website and downloads a program, and have the Access program link to it? And is there a way to get around the IP address settings in Azure as well? Because companies will be using the programs on multiple PCs. Or is it possible to utilise that and charge per PC?
If you distribute the application pre-linked, then the user should not have to do anything to consume the data.
When using Access with SQL server you can in general use the standard windows built in SQL driver. However in the case of Azure you do need to download + install the native 11 drivers (so I recommend you use that driver during development and setup).
You can also have code include to re-link to the sql server, but as noted, if your application is “already” linked, then you really don’t have to do anything on application startup. Such re-linking would not be required every time the application starts, but only a “one time” re-link is required say if you’re going to change the database, or perhaps the user logon. How to re-link (DSN less) is outlined here:
http://www.accessmvp.com/DJSteele/DSNLessLinks.html
As noted, you really don’t need the above.
As for IP restrictions, in the Azure setup you can turn off such restrictions if you need a connection that will occur from any location, but that does open up a security hole. (when you first create the SQL database you will be prompted for firewall rules).
All of the above assumes you been developing that Access application with SQL server as the back end (you can even use the free edition of SQL express for development on your local machine).
Last but not least:
Because your connection is occurring OVER the internet, then you speed will be MANY times slower then using a local server. Read the following article to get a “grasp” of this speed difference:
http://www.kallal.ca//Wan/Wans.html
So MUCH additional work is required in Access to obtain good performance when your connection is OVER the internet as opposed to SQL server running on your local network.
I am trying to link an MS access mdb to my sql server 2005, the problem is that the MDB is located on a shared network drive which will require login/password.
How do I pass the username and password into the "Linked server Access MDB" template? I assume I have to #datsrc parameter?
Rather than embedding credentials it would seem more sensible to use existing NT authentication and run the SQL Server service under an account which has access to the network drive. See question 63749 for some useful hints on service account setup. So, either grant permission for the current SQL Server account to be able to access the network drive, or run the service under a different (possibly new) account which has access.
I have an Sql Server database that includes a linked server to an MS Access mdb database. The Access database has workgroup security and requires a valid user name and password. This is easily set up in the linked server dialog in sql management studio. The problem is that the Sql Server needs to be able to find the MS Access mdw file to be able to login.
The only way I have managed to get this to work is by setting the Registry value SystemDB of the registry key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines
to the path of the workgroup file but this causes other problems (like with other MS Access apps or Excel).
Is there a better way of doing this?
I haven't done this for a while, nor in recent versions of SQL server, but I seem to remember that when you add a link to a Jet database it provides the opportunity to define the workgroup, username and password. Certainly if you're using ODBC, that's part of the basic ODBC driver for Jet.