如何向网络服务器的域管理员隐藏数据库中存储的数据?
我想使用 ASP.NET 制作一个安全的网站,但是当我发布它时,域管理员可以看到我的数据库 (SQL Server) 中存储的所有数据。我也想对域管理员隐藏我的数据和代码。有什么程序可以做到这一点吗?请给我一个我可以使用的好域名的地址,这将赋予我网站的所有管理权限(域名所有者也无法访问我的数据库和文件。)感谢您的建议。
I want to make a secure website using ASP.NET, but when I publish it, the domain administrator can see all the data stored in my database (SQL Server). I want to hide my data and code from the domain administrator too. Are there any procedures to do that? Please give me the address of a good domain I can use, which will give me all administrative power of my website (Domain owner also cannot access my databases and files.) Thanks for your suggestion.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
您是否看过:SQL Server 2008 透明数据加密?
另外:
SQL Server 2008 透明数据加密
了解透明数据加密 (TDE)
Have you looked at: SQL Server 2008 Transparent Data Encryption?
Also:
SQL Server 2008 Transparent Data Encryption
Understanding Transparent Data Encryption (TDE)
您是否考虑过使用虚拟专用服务器?我相信使用 VPS,您应该能够完全控制谁有权访问操作系统级别的内容。
Have you considered using a Virtual Private Server? I believe with a VPS you should be able to have complete control over who has access to what at the operating system level.
您可以加密数据,但无法保护代码(尤其是面向网络的代码),但坦率地说,这个问题没有意义 - 如果您与某个与您有隐式信任关系的人存在信任问题,那么您需要找到不同的提供商。
如果您不信任任何人(无论个人心理如何),您都需要自己主持。
附录:从另一个角度来看,为什么您要为某人托管某些东西而无法检查其安全甚至法律问题?
You can encrypt data, but there's no way to protect code (especially not web-facing code), but frankly the question doesn't make sense - if you have trust issues with someone you have an implicit trust relationship with then you need to find a different provider.
If you don't trust anyone (personal psychology not withstanding) you need to host it yourself.
Addendum: look at it from the other way round, why would you host something for someone without being able to inspect it for security and even legal concerns?
如果您想要全面的安全性,那么您需要实现很多事情:
正如其他人所说,您需要对数据库进行物理加密。仅仅阻止他们访问数据库是不够的,因为他们可以访问物理数据库文件,并且可以使用它们上的工具直接访问数据。
您将需要使用 web.config 加密
演练:使用受保护的配置加密配置信息< /a>
如何:使用 DPAPI 加密 ASP.NET 2.0 中的配置节
这是一个相当值得怀疑的安全性,但是由于它需要在服务器上安装密钥容器,因此邪恶的管理人员可以复制您的密钥,然后使用它来手动解密您的 web.config。为了进一步保护自己,您需要创建一个安全的 Web 服务(对于消息传输、SSL 以及内容本身在 SSL 传输隧道内加密的安全消息都进行保护,请参阅 WCF 服务安全),您的应用程序会不断地与该服务进行对话对于受保护的数据,例如 SQL Server 数据库的登录用户,然后应用轮换密码,以确保如果他们拦截了一个密码,那么如果密码被轮换,该密码可能不再有效。
此后,您将需要使用源代码保护,包括反编译保护和代码混淆。这将增加一层保护,禁止直接查看应用程序的源代码,以获取有关如何保护应用程序的信息(但这只能阻止复杂的破解者)。
总而言之,此时您已经在托管环境中实现了几乎最高级别的代码/数据安全性,但这又回到了核心问题。如果您担心系统操作员是邪恶的,那么如果管理员足够熟练并且有足够的动力来做到这一点,那么所有这些保护措施甚至仍然可以被击败。
如果您需要在此之上和背后的保护,您确实需要考虑主机托管或至少专用服务器托管,它允许您在操作系统级别应用加密,因为这可以保护您免受最有效的暴力攻击,这些攻击涉及只需从机器上拆下硬盘驱动器并用空气除尘器倒置喷洒内存以将其冻结,然后尝试从与服务器断开连接的内存本身窃取加密密钥。
拥有使您免疫(或几乎免疫)此类攻击的安全性基本上需要使用 TrueCrypt 对文件系统进行本机加密,而您无需将密钥/密钥文件缓存在内存中。此时,剩下的唯一最后一部分安全措施是托管在信誉良好的数据中心,如 ThePlanet 或 Rackspace,该数据中心具有 24/7 电子监控,在没有视频记录的情况下,邪恶的员工几乎不可能破坏您的服务器。它发生。
If you want total security there's quite a few things you need to implement:
As others have said you need physical encryption of your database. Merely blocking them from accessing the database is not enough because they have access to the physical database files and can use tools on them to access the data directly.
You will want to use web.config encryption
Walkthrough: Encrypting Configuration Information Using Protected Configuration
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
This is rather questionable security however since it requires a key container to be installed upon the server it would be arguably achievable for a nefarious administration to copy your key and then use it to manually decrypt your web.config. To protect yourself further than that you would need to create a secured web service (secured both for message transport, SSL, and secured message that the content itself is encrypted inside the SSL transport tunnel, see WCF services security) that your application constantly talks to for protected data like the login users for the sql server database and then apply rotating passwords to make it if they intercepted one password that it might not be valid anymore if it's been rotated.
After this point you will need to use source code protection that includes decompilation protection and code obfuscation. This will add a layer of protection from prohibiting viewing the source of your application directly for information about how else you protect your application (this will only go so far to stop a sophisticated cracker though).
All in all at this point you've achieved nearly the highest level of code/data security you can inside a hosted environment but this goes back to the core problem. If you have concerns that the system operator is nefarious then all of these protections even can still be beaten if the admin is skilled enough and has enough motivation to do it.
If you need protection above and behind this you would really want to look at colocation hosting or at the very least dedicated server hosting that would allow you to apply encryption at the operating system level as this protects you from the most effective brute strength attacks which involve just ripping out hard drives from a machine and spraying ram with air duster upside down to freeze it and then attempt to steal encryption keys from the ram itself disconnected from the server.
Having security that makes you immune (or nearly immune) to this kind of attack basically requires using TrueCrypt for native encryption of your file system where you do not have it cache the keys/key files in memory. At this point the only last part of security left is to host at a reputable data center like ThePlanet or Rackspace that has 24/7 electronic surveillance that it would be nearly impossible for a nefarious employee to be able to compromise your server without video recordings of it occuring.
从 sysadmin 角色中删除
BUILTIN\Administrators组 - 显然这只能由服务器管理员完成,但在适当的环境中,域管理员可能只能维护服务器而不能见数据。2008 年,默认情况下不包括此内容。
至于代码,您可以混淆 DLL,但没有完整的方法可以对可以访问文件系统的人隐藏代码。
Remove the
BUILTIN\Administratorsgroup from the sysadmin role - obviously this can only be done by a server admin, but in a proper environment, it is possible for domain admins to only be able to maintain servers nad not see data.In 2008, the default is to not include this.
As for code, you can obfuscate your DLLs, but there is no complete way to hide code from someone who can access the filesystem.
您将无法隐藏源代码,但您确实有一些选项可以降低它对管理员的吸引力:
混淆 - 阻止人们了解语法上发生的情况。虽然他们可以遵循代码并最终弄清楚(如果他们愿意的话),但这需要更多的努力。毕竟,只要有足够的努力和技巧,任何事情都可以破解。
加密 - 因为网页需要服务器解密,所以服务器需要有密钥才能解密。该密钥需要存储在服务器(以及管理员)有权访问的文件中。使用一些混淆,您可以尝试(再次)隐藏它,但是任何有对称加密的地方,超级用户都有能力获取它。
注意:
任何时候加密的东西,很可能需要解密才能使用/查看。该过程会对性能产生负面影响。
当事物被加密时,尤其是从管理员的角度来看,它本质上是一个警告警报的邀请;它会产生好奇心。如果是数据,那是一回事,但在存在信任的情况下,代码不需要加密。这就像说你有一些想要隐藏的东西,通常意味着你不想被发现的“坏”东西。
You won't be able to hide the source code, but you do have some options to make it less inviting to admins:
obfuscate - deter people from knowing what is happening syntactically. While they can follow the code and eventually figure it out (if they want), it requires more effort. After all, with enough effort and know-how, anything can be cracked.
encrypt - because the web page needs to be decrypted by the server, the server needs to have a key to decrypt it. This key needs to be stored in a file that the server (and thus admin) has access to. Using some obfuscation, you can try and hide this (again), but any places there is a symmetric encryption, a superuser has the ability to get at it.
Note:
Any time something is encrypted, it will most likely require a decrypt to use/view. The process will be a negative performance impact.
When things are encrypted, especially from an admin perspective, it is essentially an invitation calling for alarm; it creates curiosity. If it's data, that's one thing, but code should not need to be encrypted where there is trust. It's like saying that you have something you want to hide, generally meaning something "bad" that you don't want found out.