Tuesday, March 20, 2012

Patching SQLServer/MSDE

Patching SQLServer/MSDE
We are developing a desktop application that will use an MSDE database. The
data in the DB we deploy cannot be read by users, or administrators of the b
ox or other SQL Server admins. To accomplish this, we have learned we would
have to install a separate
instance of SQLServer/MSDE on the user's PC (or, alternately, encrypt the da
tabase).
The downside to a separate instance is we would be responsible to apply any
SQL Server patches to our instance. Our software is given to our customers,
and we have no control over their machines, so we will have to issue servic
e patches for our software
that contain the SQL Server patches as they come out.
My question is this: Obviously, it will be difficult for us to get patches o
f our software out there immediately after each SQL Server patch is released
my Microsoft. Are there threats that SQL Server remedy that can possibly ha
ve an adverse effect on sof
tware/hardware outside of the our database that is using the SQL Server inst
ance? I'm wondering about our liability if say, we release our version of a
patch 1-2 months after Microsoft releases their patch. I know our database
may be threatened, but is
there the possibility the user's machines/network would also be threatened i
f certain patches are not installed in a timely matter? I understand how th
is would be a major issue if we were talking about patches to IIS, but not
so sure about SQL Server.
Any thoughts on this are greatly appreciated.
Thanks!MSDE can be configured to listen only on Shared Memory. This will limit
your exposure from
external machines. So, other machines won't be able to connect to your
instance of MSDE, since
it's not listening on TCP or Named Pipes. Only local connections would
succeed.
MBSA 1.2 can be used to scan the local machine to see if it needs any SQL
related security fixes.
This could be documented in your application notes.
http://www.microsoft.com/technet/se...s/mbsahome.mspx
You can also find out Best Practices on the web ;
http://www.microsoft.com/technet/pr...n/sp3sec00.mspx
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
Posted by feltpaddedvbni at 12:24 AM
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)