1

I need a way to lock a SQL Server Express database that is deployed to a PC, which may or may not be on a domain.

I would like to ensure that the end user cannot access the database aside from a highly restricted access via stored procedures, even if they put the system on their domain, and are a domain administrator, because tampering with the data would present data integrity concerns.

I could secure an administrative credentials for the sa user. However I would like to establish credentials for only 1 user that only has visibility and ability to execute stored procedures which are already created. Additionally the user has no read/query access to the actual tables or actual data in the tables.

Is there any way to do what I need using SQL Server Express? Or, is there a different FREE database that could accomplish this (that has the same 'power' as SQL Server Express)?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
JasonJ
  • 51
  • 3
  • You should really be asking this question on [Server Fault](https://serverfault.com/) – Zak Jan 27 '21 at 22:35
  • You can lock down access to tables for any SQL login. But if a user is local admin on that PC, then they can do anything, including impersonating `SYSTEM` account, and therefore they can read whatever data they want direct from the files etc. Domain admins can trivially elevate themselves to local admin. – Charlieface Jan 27 '21 at 22:38
  • @Zak thank you, I have posed the question on Server Fault. – JasonJ Jan 30 '21 at 20:12
  • @Charlieface - That is pretty much what I figured, unfortunately I need a way to prevent someone from being able to alter data once it has been registered. Even if I had to switch to a different database would be acceptable. – JasonJ Jan 30 '21 at 20:16
  • As I said, it is pretty much absolutely impossible to prevent someone with local admin rights from doing anything, it is irrelevant which DBMS you use. They can shut down the DBMS service and read the files directly. If they need to decrypt, they can read the encryption key anyway. They could also read data direct out of the service's RAM. Obviously this can be difficult for someone not technically minded. But If you want to be sure then you **must** place such data on a different PC where they cannot get admin rights. – Charlieface Jan 30 '21 at 20:24

0 Answers0