7/26/2011 5:55:40 AM
alphanimal
Posts: 62
|
Hi!
We are using RDM with a SQL Server and have Offline Mode enabled.
Is there a way to protect the database (the credentials specificly) from being accessed without entering a password or authenticating with some other method (Kerberos ...)?
Is the data that is stored in offline mode encrypted somehow?
What can we do to secure the database, if a computer gets stolen or is accessed by the bad guys (hacked?) in some way?
thanks!
|
|
0
• permalink
|
7/28/2011 10:01:45 PM
james_burd
Posts: 5
|
I believe that even most of the data stored in the database is encrypted. I think what would work here (and I have suggested) is an offline expiration policy. That way if the computer is lost\stolen the offline mode would expire and become unusable unless they could connect to the SQL server again. He has agree'd to add the expiration policy but I am not sure when.
|
|
0
• permalink
|
7/29/2011 2:12:14 AM
alphanimal
Posts: 62
|
I believe that even most of the data stored in the database is encrypted.
To protect the data in the database, it helps to not save the SQL Server password in the data source, so the user has to enter it every time.
The problem is Offline mode. If I can open the database without even entering a password, its not safe really.
IMO all locally stored data (including data source configuration, which includes a password, too) should be encrypted using a key entered by the user, which he must enter every time the program is launched.
By encrypting the data source configuration, the SQL server password is safe, too. and each user can have their own key.
I think what would work here (and I have suggested) is an offline expiration policy.
That would be nice to have for other reasons, but it doesn't add much regarding security
Ultimately, we should force users to encrypt their whole hard drives.
|
|
0
• permalink
|
8/4/2011 4:47:07 AM
David Hervieux
Administrator
Posts: 4241
|
Hi,
I'm not sure if I will have the time to add this for this release, but I take every security problem seriously and I will add the option to ask for a password for the offline mode. The encrypted data will use a mix of the machine info, our private key and the password.
--
David Hervieux
Devolutions inc.
|
|
0
• permalink
|
1/25/2012 2:40:43 PM
allesrob
Posts: 8
|
As I'm testing I see this as a huge issue preventing use of the program in the way I would most likely deploy it. In addition to the complete lack of security for offline mode, Locking the datasource doesn't stop you from hitting duplicate or viewing the settings, which renders that useless. So I would have to disable offline mode for everyone.
|
|
0
• permalink
|
1/25/2012 4:39:54 PM
David Hervieux
Administrator
Posts: 4241
|
Hi,
I understand your concern and this is why we plan to add more security features.
--
David Hervieux
Devolutions inc.
|
|
0
• permalink
|