Captools/net Documentation

Database Security

Database Security

Previous topic Next topic  

Database Security

Previous topic Next topic  

Database Acccess Password


The Captools/net database is initially installed using "Mixed Mode Authentication" and "sa" as the user and "sbux$1234" as the database password.  These are used to secure the database from being accessed by a remote computer which does not have the correct log-in details.  Since the default values are publically documented here, you are strongly urged to change at least the password soon after installation before you enter "real" client data.  Changing these is a two step process:


1) Use Microsoft's Microsoft SQL Server Management Studio Express (to download go to and search for "Microsoft SQL Server Management Studio Express") to change the database user id and password.


When you log into the MS SQL Management Studio, select "CAPTOOLSDBINST" and use "Windows Authentication":




Next, expand the "Security" node and then the "Logins" node.  Double click on the "sa" login to obtain the following dialog on which you should change the database password for the "sa" login. The reason for this is that the default password that we use for this login when we do the install is published in this documentation.  For extra security, you can also change the log in user from "sa" to something else by right clicking on the "sa" and selecting "New Login" which will present a dialog similar to below except that you can create a new Login name as well as password.





Disabling "SA" Login - If you do create a new Login name, it is recommended that you disable the "sa" login account, by double clicking on it to open its "Login Properties" and clicking on "Status" to expose the settings which allow you to "Deny" connection to the database and "Disable" Login:




2) Second, you will need to change Captools/net's record of the CAPTOOLSDBINST database instance login name and password to match the change you made above. This is done via the Captools/net Server Control Panel by using the "Admin/Configure Captools/net Database" command:





Change the database user name and password on the resulting dialog.




Database Encryption


Placing password-based access protection on the database per the above subtopic does not to secure database information from an unauthorized person should they get hold of your database files either by physically taking the hard drive or by downloading the database files via a hack attack.  To protect against this your database needs to be encrypted, or better yet you need to encrypt your entire hard drive.  SQL Server offers a feature called "Transparent Data Encryption" (TDE) which implements encryption of the entire database in a manner which will allow any software such as Captools/net which provides the user name and password to access the data in a "transparent" manner, yet denies access without that password.  TDE implementation is discussed in the following Microsoft article:


BitLocker - A more encompassing way to ensure data security, is to encrypt your hard drive.  This has the advantage of also protecting information residing in documents outside of the database such as custodian download files, emails, etc.  Microsoft Windows 7 and later versions offer the capability to do this using "BitLocker", which we recommend as the way to implement such encryption, with the caveat that you must ensure that you retain copies of your BitLocker passwords in a safe location separate from your computer to ensure that you can gain access to your data.  Also, while Bit Locker protects your data from someone who gains physical control of your hard drive, it does not protect against a hacker who gains entry to your system via malware which operates after you have unlocked a bitlocker secured drive to do your work.  The only defense against this risk is to maintain good security practices (e.g. do not open suspicious emails, have your firewall turned on, etc.) and also to consider excluding sensitive personally identifiable information (i.e. tax id's) from your database.  If your imports from your custodian include tax id's used as "Client Id's in your Captools database, we recommend that you change these by replacing 3 or 4 lead or middle digits with client initials thereby maintaining a unique identifier but not revealing a full tax id.