what is the recommendations should i do to prevent anyone from hacking or getting the sql server data base file (MDF File) ?
Note : i use sql server 2005
Some simple recommendations:
- Do not expose access to your database server to the internet. It should be behind a firewall that only allows the web server to access it over a particular port (not the default).
- Do not allow remote desktop or any other type of similar access from external connections. For internal connections, ensure that the passwords follow some type of policy. For example, require numbers, extended characters, etc.
- Keep the database files in the normal data directory for sql server (file security is already set up for you).
- Use transparent database encryption: http://msdn.microsoft.com/en-au/magazine/cc163771.aspx#S5 and How to protect the sql server 2005 MDF file
- Make sure file sharing is turned off.
- Make sure the only people who can access that server are the ones responsible for it.
- Read up on sql injection to prevent other access mechanisms.
- Use Active Directory security for database user accounts.
- Use SSPI for the db connections so that you don't have a username/password stored in your web.config
- Make sure that the network connection between your web and database server is encrypted via kerberos.
The same way you would protect any other file on your server.
I'd use a firewall and block every port than isn't needed.