The situation is Windows XP laptop with password required for logon, database running in Microsoft Sql Server Developer edition with Windows authentication.
I’ve been asked to investigate how secure the information would be in the event the laptop was lost or stolen. I’m not quite sure how to characterize it. It seems pretty secure against someone who is only a computer application user as long as he doesn’t have the password.
What level of IT/hacker skills is required to recover the data without the password? Any good IT guy? Any good DBA? J Random hacker? We are interested in identity theft-type info: name, address, SSN, etc.
It is no problem to mount the data files (*.mdf). in a new SQL Server and access the data in these files, if the data are not encrypted.
Here is an introduction to SQL Server encryption: http://msdn.microsoft.com/en-us/library/cc278098%28v=sql.100%29.aspx
A possible and very(!) safe solution would be to encrypt the whole disk using a tool like TrueCrypt (http://www.truecrypt.org/) – this is standard procedure in industry