Prevent standard user from replacing database files in SQL Server

Question

I'm trying to design an air-gapped server, which will be hosted and managed by the user. I will have SQL Server 2019 running on that server, which will access an important hosted database.

How do I prevent the user from modifying or replacing the database on the filesystem level? Note that the user will be a standard user and will not have Administrator privileges.

I know that I can control database access using roles and passwords, so I'm more worried about the filesystem access to the database files.

Architecture

• A .NET application running with standard privileges which the user can use to view some data from the database (limited read access).
• A WCF webservice running with administrative privileges that can read / write to the database but the user will have no access to this.

Ideal scenario

• All access to the database must go through SQL Server.
• The user will have no direct access to the database through the filesystem.
• The user should only be able to selectively view some data through the .NET application.

Answer 1

There is nothing you can do to prevent a user who has admin rights on the system from doing whatever they want.

Ideally you would give them a black box system which they have no admin rights on, but then they cannot manage it properly, as sysadmin work always needs admin rights.

So the files and folders containing the database files would be owned and only have access by the SQL Server service account. All other users should have no rights on it. This should prevent a standard user without physical access to the box from gaining access.

If they are a limited user you can lock down the file system like this easily, but a determined user with physical access can still hack through. Ultimately, either you provide this over the cloud (host it yourself) or write a good contract. There is simply no other way.