如何保护 winform 的 SQL 2005 Express 数据库中的数据?

发布于 2024-09-28 11:59:44 字数 724 浏览 7 评论 0原文

我有使用 SQL 2005 Express 的 ac# winform 应用程序。该应用程序创建数学和阅读测验,并向学龄儿童的家长推销。家长从我的网站购买并下载包含测验的 SQL 文件,并将它们安装在应用程序中(安装在他们孩子的计算机上)。

我有两个 SQL 安全问题:

(1) 一些孩子可能不希望测验出现在他们的计算机上,因此他们可能会尝试 (a) 删除 SQL 数据库或 (b) 通过更改数据库中的值来禁用应用程序。

在我看来,任何使用 SQL Server Management Studio Express 的人都可以轻松更改数据库的内容。

因此,可以采取什么措施来防止这种情况发生(除了建议家长不要让孩子使用管理员帐户之外)?

(2) 我唯一的收入将是出售测验,因此我想保护这些数据不被复制和共享。考虑到 (a) 文件需要从我的服务器下载到孩子的计算机上然后安装,(b) 一旦安装,它们就驻留在孩子的计算机上,我该如何执行此操作。

在我看来,任何使用 SQL 数据库发布向导的人都可以轻松复制数据库的内容。

是否可以只允许我的应用程序访问 SQL 数据库?是否可以限制其他人访问它(甚至使用 Windows 管理员帐户的人)?

目前,我的应用程序的安装脚本仅为我的应用程序创建了一个新的 SQL 2005 Express 服务器实例,并且它使用 Windows 身份验证。

我已经在 Stackoverflow 和其他地方阅读了几篇 SQL 安全帖子,但我还无法弄清楚这一点。

I have a c# winform application that uses SQL 2005 Express. The application creates math and reading quizzes and is marketed to parents of school-aged children. The parents purchase and download SQL files containing quizzes from my website and install them in the application (which is installed on their child's computer).

I have two SQL security concerns:

(1) Some children may not want the quizzes to appear on their computer, so they may try to (a) delete the SQL database or (b) disable the application by changing values in the database.

It seems to me that anyone with SQL Server Management Studio Express can easily change the contents of the database.

Therefore, what can be done to prevent this (other than recommending to the parent that they do not let their children use an administrator account)?

(2) My only revenue will be the sale of the quizzes, so I want to protect this data from being copied and shared. How can I do this given (a) that the files need to be downloaded from my server to the child's computer and then installed and (b) and then once installed, they are just residing on the child's computer.

It seems to me that anyone with SQL Database Publishing Wizard can easily copy the contents of the database.

Is it possible to only allow my application to access the SQL database? Is it possible to restrict everyone else from accessing it (even people using Windows administrator accounts)?

Currently the install script for my application creates a new instance of the SQL 2005 Express server just for my application and it uses Windows Authentication.

I have read several SQL security posts here on Stackoverflow and elsewhere but I am not yet able to figure this out.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

风为裳 2024-10-05 11:59:44

从一个古怪的黑客的角度来看,父母完蛋了。这是因为他们的孩子可以实际接触计算机。从理论上讲,他们可以通过各种方式对其进行攻击。

现在,让我们看看更有可能发生的情况。

您发现不授予孩子管理员访问权限会产生很大的影响。但如果您说这对大多数家庭来说是遥不可及的,那么 SQL Management Studio 也是如此。你可以打赌孩子们不会去得到这个并安装它。

然而,最终,使用一些老式的混淆方法可能会更好。您可以创建自己的文件格式,并希望大多数孩子在看到二进制文件时会放弃,而不是使用 SQL Management Studio 之类的东西,那里有免费可用的工具来修改和防止这些测验出现或任何其他可用的攻击。官样文章。

如果他们打算放弃这一点,许多人可能会放弃 SQL Express。也就是说,孩子们非常足智多谋,有些人可能愿意按照他们在谷歌上搜索的逐步说明来击败你的软件。

听起来您正在将这些测验部署到不受您控制的计算机上的 SQL Express 实例上。 它们不再是你的机器了。

我不想说“你不能做你所要求的事情”,但你是在问如何防止某人使用管理员工具来破坏你的软件。我想我的答案是“你不能”。你必须重新审视你的设计,或者只是接受大多数孩子不会走那么远的想法。

From a wonky hacker point of view, the parents are screwed. This is because their children have physical access to the computer. Theoretically they can attack it every which way.

Now, let's go with what is more likely.

You identified that not giving the kids administrator access makes a big difference. But if you're saying that is out of reach of most families, so is SQL Management Studio. You can make a bet that kids aren't going to go get this and install it.

However, in the end, you would probably be better off with some good old fashioned obfuscation. Instead of using something like SQL Management Studio, where there are freely available tools out there to modify and prevent these quizzes from showing up or whatever other attacks are available, you create your own file formats and hope most kids would give up when they see binary gobbledy-gook.

If they are going to give up on that, many might give up on SQL Express. That said, kids are pretty resourceful and some might be willing to follow step by step instructions they searched for on Google to defeat your software.

It sounds like you are deploying these quizzes onto SQL Express instances that are on machines not under your control. They aren't your machines anymore.

I don't want to say "you can't do what you are asking" but you are asking how to prevent someone from using administrator tools to defeat your software. I think my answer is "you can't". You have to reexamine your design or just go with the idea that most kids won't go so far.

恋竹姑娘 2024-10-05 11:59:44

您可以对测验数据进行加密。

加密和解密字符串

这里的缺陷是您的应用程序必须进行加密/解密密钥在其代码中,因此有人仍然可以通过重新编译工具或反射器之类的工具来访问它。

真正的答案是,保护您的应用程序的一切几乎是不可能的。想想那些大公司和他们的保护技术,微软、Adobe 等等……他们都有盗版问题。

此外,如果您的应用程序足够好,足以让很多人盗版,那么您很可能会获得大量的合法销售。

在那之前,我不会太担心,只需采取一些小的预防措施,不会过多干扰您的工作流程。

You could use encryption on your quiz data.

Encrypt and decrypt a string

The flaw in this is your application would have to have the encryption/decryption key in its code, so someone could still gain access to it through a recompilation tool or something like reflector.

The real answer is that protecting your application for everything is nearly impossible. Just think about the huge companies and their protection techniques, Microsoft, Adobe, etc... they all have a problem with piracy.

Also, if your application is good enough for lots of people to pirate, you will most likely have a good number of legitimate sales.

Until then, I wouldn't worry about it too much, and just take a few small precautions that don't interfere with your workflow too much.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文