I have a c# winform application that uses SQL 2005 Express. The application creates math and reading quizzes and is marketed to parents of school-aged children. The parents purchase and download SQL files containing quizzes from my website a开发者_高级运维nd install them in the application (which is installed on their child's computer).
I have two SQL security concerns:
(1) Some children may not want the quizzes to appear on their computer, so they may try to (a) delete the SQL database or (b) disable the application by changing values in the database.
It seems to me that anyone with SQL Server Management Studio Express can easily change the contents of the database.
Therefore, what can be done to prevent this (other than recommending to the parent that they do not let their children use an administrator account)?
(2) My only revenue will be the sale of the quizzes, so I want to protect this data from being copied and shared. How can I do this given (a) that the files need to be downloaded from my server to the child's computer and then installed and (b) and then once installed, they are just residing on the child's computer.
It seems to me that anyone with SQL Database Publishing Wizard can easily copy the contents of the database.
Is it possible to only allow my application to access the SQL database? Is it possible to restrict everyone else from accessing it (even people using Windows administrator accounts)?
Currently the install script for my application creates a new instance of the SQL 2005 Express server just for my application and it uses Windows Authentication.
I have read several SQL security posts here on Stackoverflow and elsewhere but I am not yet able to figure this out.
From a wonky hacker point of view, the parents are screwed. This is because their children have physical access to the computer. Theoretically they can attack it every which way.
Now, let's go with what is more likely.
You identified that not giving the kids administrator access makes a big difference. But if you're saying that is out of reach of most families, so is SQL Management Studio. You can make a bet that kids aren't going to go get this and install it.
However, in the end, you would probably be better off with some good old fashioned obfuscation. Instead of using something like SQL Management Studio, where there are freely available tools out there to modify and prevent these quizzes from showing up or whatever other attacks are available, you create your own file formats and hope most kids would give up when they see binary gobbledy-gook.
If they are going to give up on that, many might give up on SQL Express. That said, kids are pretty resourceful and some might be willing to follow step by step instructions they searched for on Google to defeat your software.
It sounds like you are deploying these quizzes onto SQL Express instances that are on machines not under your control. They aren't your machines anymore.
I don't want to say "you can't do what you are asking" but you are asking how to prevent someone from using administrator tools to defeat your software. I think my answer is "you can't". You have to reexamine your design or just go with the idea that most kids won't go so far.
You could use encryption on your quiz data.
Encrypt and decrypt a string
The flaw in this is your application would have to have the encryption/decryption key in its code, so someone could still gain access to it through a recompilation tool or something like reflector.
The real answer is that protecting your application for everything is nearly impossible. Just think about the huge companies and their protection techniques, Microsoft, Adobe, etc... they all have a problem with piracy.
Also, if your application is good enough for lots of people to pirate, you will most likely have a good number of legitimate sales.
Until then, I wouldn't worry about it too much, and just take a few small precautions that don't interfere with your workflow too much.
精彩评论