Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Securing data against theft of the server or hackers

Reply
Thread Tools

Securing data against theft of the server or hackers

 
 
Nick Gilbert
Guest
Posts: n/a
 
      05-27-2004
Hi,

As part of a website (ASP.NET) we're creating, we need the ability to
store documents with pretty much 'mission critical' security. ie, if the
server is completely compromised (eg a trojan/virus is installed or
someone physically steals the server) they will still not be able to
gain access to the content of the files. I can securely transfer the
files to and from the server, but I am unsure of how best to store them
securely.

What options do I have? I have thought of using public key encryption
like PGP, but the users would then have to be trusted with a private key
which they could leak or lose, and all users would have to have the same
private key so that they could see each others files. So I'm not sure
that idea could be made to work.

I'm wondering if there are any methods that would fit my needs (even if
it involves buying 3rd party hardware or software to achieve it).

If it matters, it will probably be a Win 2003 web server with a separate
box running SQL Server 2000 which could also be used for file storage.

Any advice would be appreciated!

Thanks,

Nick Gilbert
 
Reply With Quote
 
 
 
 
Steve C. Orr [MVP, MCSD]
Guest
Posts: n/a
 
      05-27-2004
If I was in your situation I'd seriously consider storing the files in SQL
Server. It's got built-in, high-quality security and can store files as
easily as any other kind of data.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"Nick Gilbert" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> As part of a website (ASP.NET) we're creating, we need the ability to
> store documents with pretty much 'mission critical' security. ie, if the
> server is completely compromised (eg a trojan/virus is installed or
> someone physically steals the server) they will still not be able to
> gain access to the content of the files. I can securely transfer the
> files to and from the server, but I am unsure of how best to store them
> securely.
>
> What options do I have? I have thought of using public key encryption
> like PGP, but the users would then have to be trusted with a private key
> which they could leak or lose, and all users would have to have the same
> private key so that they could see each others files. So I'm not sure
> that idea could be made to work.
>
> I'm wondering if there are any methods that would fit my needs (even if
> it involves buying 3rd party hardware or software to achieve it).
>
> If it matters, it will probably be a Win 2003 web server with a separate
> box running SQL Server 2000 which could also be used for file storage.
>
> Any advice would be appreciated!
>
> Thanks,
>
> Nick Gilbert



 
Reply With Quote
 
 
 
 
Nick Gilbert
Guest
Posts: n/a
 
      05-27-2004
Thanks for your reply, but I don't think you've understood my problem.

SQL Server is only secure if you're limited to accessing it via queries.
But if someone has access to the box, they have access to the database
and all the files within it. They could just steal the database files
and restore them to their own server. SQL Server has no encryption on
its database files, so if you have the database, you also have access to
all the information in the files. I need a much more secure solution
than that... What you're suggesting isn't really any more secure than
storing something in a non-passworded ZIP/TAR file (or any other file
format which stores multiple files). If you have the database, you don't
even need to know any passwords to get the files back out again...

Also SQL Server isn't very good for storing lots of large files (eg
gigabytes of them) - I think the files themselves are best kept
seperately from the data.

I was more thinking of some kind of encryption system...

Nick....

Steve C. Orr [MVP, MCSD] wrote:

> If I was in your situation I'd seriously consider storing the files in SQL
> Server. It's got built-in, high-quality security and can store files as
> easily as any other kind of data.
>

 
Reply With Quote
 
Scott Allen
Guest
Posts: n/a
 
      05-27-2004
I've never tried this in an ASP.NET setting, but with server 2003
there is the Encrypting File System:

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/technet/pro...y/cryptfs.mspx

Also, you might want to check out the DPAPI. There are .NET wrappers
for this API.

Windows Data Protection
http://msdn.microsoft.com/security/s...tion-dpapi.asp


Of course, there is also the "C - 4" chip .... I just dont trust any
company with "cyber" in the name:
http://www.computeruser.com/news/00/..._ref=233393570

HTH,

--
Scott
http://www.OdeToCode.com

On Thu, 27 May 2004 09:47:31 +0100, Nick Gilbert
<(E-Mail Removed)> wrote:

>Hi,
>
>As part of a website (ASP.NET) we're creating, we need the ability to
>store documents with pretty much 'mission critical' security. ie, if the
>server is completely compromised (eg a trojan/virus is installed or
>someone physically steals the server) they will still not be able to
>gain access to the content of the files. I can securely transfer the
>files to and from the server, but I am unsure of how best to store them
>securely.
>
>What options do I have? I have thought of using public key encryption
>like PGP, but the users would then have to be trusted with a private key
>which they could leak or lose, and all users would have to have the same
>private key so that they could see each others files. So I'm not sure
>that idea could be made to work.
>
>I'm wondering if there are any methods that would fit my needs (even if
>it involves buying 3rd party hardware or software to achieve it).
>
>If it matters, it will probably be a Win 2003 web server with a separate
>box running SQL Server 2000 which could also be used for file storage.
>
>Any advice would be appreciated!
>
>Thanks,
>
>Nick Gilbert


 
Reply With Quote
 
Paul Drust
Guest
Posts: n/a
 
      05-27-2004
Nick,

I was just looking into a similar issue yesterday.

Check out "NetLib Encryptionizer". I've never used it, but it allows
columns or an entire database to be encrypted.

The feature you might like is that you can set up the security so the
DB server is "linked" (my word) to another computer on the network so
that, even if the DB server is physically stolen the encrypted
database cannot be read because it is no longer connected to the
"linked" system.

Might be what you want.


-- Paul


Nick Gilbert <(E-Mail Removed)> wrote in message news:<ecQSz$(E-Mail Removed)>...
> Thanks for your reply, but I don't think you've understood my problem.
>
> SQL Server is only secure if you're limited to accessing it via queries.
> But if someone has access to the box, they have access to the database
> and all the files within it. They could just steal the database files
> and restore them to their own server. SQL Server has no encryption on
> its database files, so if you have the database, you also have access to
> all the information in the files. I need a much more secure solution
> than that... What you're suggesting isn't really any more secure than
> storing something in a non-passworded ZIP/TAR file (or any other file
> format which stores multiple files). If you have the database, you don't
> even need to know any passwords to get the files back out again...
>
> Also SQL Server isn't very good for storing lots of large files (eg
> gigabytes of them) - I think the files themselves are best kept
> seperately from the data.
>
> I was more thinking of some kind of encryption system...
>
> Nick....
>
> Steve C. Orr [MVP, MCSD] wrote:
>
> > If I was in your situation I'd seriously consider storing the files in SQL
> > Server. It's got built-in, high-quality security and can store files as
> > easily as any other kind of data.
> >

 
Reply With Quote
 
Steve C. Orr [MVP, MCSD]
Guest
Posts: n/a
 
      05-27-2004
I'd be quite nervous about having a database that is so wide open to the
public as yours seems to be.

In that case, it sounds like you'll be needing some encryption whether you
store your files in SQL Server or elsewhere.
Here's some articles on encrypting files:
http://www.fawcette.com/vsm/2002_08/...us/default.asp
http://www.devx.com/security/article/7019

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"Nick Gilbert" <(E-Mail Removed)> wrote in message
news:ecQSz$(E-Mail Removed)...
> Thanks for your reply, but I don't think you've understood my problem.
>
> SQL Server is only secure if you're limited to accessing it via queries.
> But if someone has access to the box, they have access to the database
> and all the files within it. They could just steal the database files
> and restore them to their own server. SQL Server has no encryption on
> its database files, so if you have the database, you also have access to
> all the information in the files. I need a much more secure solution
> than that... What you're suggesting isn't really any more secure than
> storing something in a non-passworded ZIP/TAR file (or any other file
> format which stores multiple files). If you have the database, you don't
> even need to know any passwords to get the files back out again...
>
> Also SQL Server isn't very good for storing lots of large files (eg
> gigabytes of them) - I think the files themselves are best kept
> seperately from the data.
>
> I was more thinking of some kind of encryption system...
>
> Nick....
>
> Steve C. Orr [MVP, MCSD] wrote:
>
> > If I was in your situation I'd seriously consider storing the files in

SQL
> > Server. It's got built-in, high-quality security and can store files as
> > easily as any other kind of data.
> >



 
Reply With Quote
 
Nick Gilbert
Guest
Posts: n/a
 
      05-28-2004
> I'd be quite nervous about having a database that is so wide open to the
> public as yours seems to be.


It won't be wide open - there are tight logon restrictions and the site
is SSL only. Additionally the SQL Server resides on a seperate box
behind a second firewall. However the database only contains meta-data
about the files.. it's the files I'm concerned about.

Nick...
 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      05-31-2004
Hi Nick,

I also think Steve Orr's suggestion on use encryption component is
reasonable and that'll make your resources mantained in not only database
but also anyother persistence. And it seems there isn't any other means on
protecting your resources if the machine is controled by the hacker.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Theft Is Theft? Lawrence D'Oliveiro NZ Computing 7 11-08-2009 09:50 AM
M$ against Blu-ray, M$ for Blu-ray, M$ against Blu-ray, M$ forBlu-ray, ...... Blig Merk DVD Video 66 04-27-2008 04:46 AM
Why Current Security Solutions Fail To Prevent Data Theft WB Randolph Computer Security 1 11-19-2006 08:52 AM
Hackers and Spammers Join Forces Against Windows Machines Dr. Harvie Wahl-Banghor Computer Support 0 09-20-2004 04:30 PM



Advertisments