SQL Server programming security
I’m trying to create with a developer a program that uses an SQL Sever 2005 database on a local network.
When the program is first installed it asks for a clientID that it then sends back to our server over the internet to authenticate that it is allowed to run by matching a clientID in our database.
Does SQL Server have a unique identifier like a serial number or something that is totally unique to that sql server that we can send back to our database as a stamp during the initial install in order to prevent our program from running on other networks with the same ClientID?
[1108 byte] By [
Rick-123] at [2008-1-10]
It seems like you are trying to do some DRM (Digital Rights Management), correct? Unfortunately as far as I know, SQL Server doesn’t count with a unique identifier that is suitable for this purpose (i.e. an unique id per instance that cannot be spoofed). Remember that a crafty sysadmin/box admin may control the SQL server service process entirely.
I would recommend reading the discussion below from another forum, while the situation is not the same, at least it should give you a better idea on some of the difficulties you may face:
http://blogs.msdn.com/raulga/archive/2007/07/13/link-to-msdn-forum-discussion-yet-another-question-on-application-security.aspx
I hope this information helps,
-Raul Garcia
SDE/T
SQL Server Engine
Raul, Thank you for your response. Your absolutely right. I am trying to find a programming solution for "application security" not necessarily SQL Server Security. Need a way to prevent our application from running in an unautherized environment. I have always used hardware security blocks to achieve this goal. "no block" "program no run". we are really trying to achieve the same security by using a web service that Athenticates when the program is run. But I think the key is to stamp our database during the initial installation with a unique identifier for their environment so that the user can give his install disk and clientID to a friend and let him run the program for free using his credentials. Thanks
Sorry, Correction. so the user *Can't* give his install disk and clientID to his friends and allow them to use the program without paying a subscription. Thanks, Rick
