How can I prevent local admin users accessing database files encrypted with EFS?

StackOverflow https://stackoverflow.com/questions/16361593

Question

Let's assume that I have a C# multi-user client-server application and SQL Server 2008 Express as the database. It's an application that is supposed to be installed on customer's PCs, where everyone who works for the company can have access, i.e. the physical access to the .mdf file is free, so that one can easily copy the .mdf file to his/her machine, attach it and view all the DB structure and stored procedures' code I have developed.

I've read lots of info regarding to this issue all directing me to use free EFS (Encrypting File System ) of Windows. Consequently, I achieved to encrypt my .mdf file by a specific Windows user account which I created specially for this, set up a password for the user, so that no one can log on as my user and decrypt the file. Everything was fine, but I came across with dilemma that a user by which a customer logs on will almost always be in Local Admin group, so they can easily reset password for my user and log on as my user to decrypt the file. I can not exclude their user from admin group.

Could anyone help me out solve this problem, please? Or maybe there is a possibility to decrypt the file without having created additional user so that they could not decrypt the .mdf file?

I would really appreciate any help!

Was it helpful?

Solution

EFS encrypts files with a random file encryption key (FEK) and encrypts that key with a RSA key belonging to the user ... this RSA key ist protected by DPAPI ... if the system is setup with a key recovery agent, the FEK is also encrypted for the RSA key of the key recovery agent (this might be the local admin, but can be changed, even to no key recovery agent)

if the local admin changes the password of a user, their DPAPI master key is left untouched, still protected by the old user password ... changing the password won't give you access to the DPAPI master key, and therefore won't give you access to the users private RSA key ...

if the station is member of a domain, the domaincontroller will have a decryption key that will allow decryption of a DPAPI master key ...

OTHER TIPS

Short of moving the data store to the cloud and having your application use web services, I don't think there's much you can do. I'm making the assumption that you're trying to protect some IP you have in the database. If you can get the logic into the client or server part of your application, you can obfuscate your application and then not have to worry so much about this problem. The data I presume is owned by your users anyway, I'd be pretty annoyed at a company trying to lock my own data away from me by encrypting the database.

The only real solution I think though is to address this via a sales contract that limits what they can do with your software even if they decompiled it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top