?
Solved

Sniffing database connection string for SQL 2005

Posted on 2007-07-31
15
Medium Priority
?
1,303 Views
Last Modified: 2010-08-05
I created a login form for a desktop application. The user uses the form to authenticate against a SQL database. My question is: can the user use a sniffer to retrieve the database connection string when the application makes a connection to the database? Is there a standard way to protect the connection string?
0
Comment
Question by:mattphung
  • 8
  • 7
15 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19606220
he does not even need to use a sniffer if the connection string is not encrypted in the application / config file...

as from then, the connection string is not send via network, but only used locally with the odbc/oledb objects to establish the connection parameters, so you would need a memory "sniffer" ....
0
 

Author Comment

by:mattphung
ID: 19606234
I encrypted the connection string in the config file. After the application decrypt the cn string and put it into memory to be used then can someone capture the information in memory using a sniffer? What is the best way to prevent this? What is a good memory sniffer software?
0
 

Author Comment

by:mattphung
ID: 19606240
What if I hard code the connection string in a module?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19606271
the only "secure" thing with sql server is to use integrated security, so no password will appear at all.
0
 

Author Comment

by:mattphung
ID: 19606296
how do you use integrated security? Can you give me an example of what  the connection string should look like?
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19606343
0
 

Author Comment

by:mattphung
ID: 19606412
Does integrated security use windows atuhentication? Does integrated security work on any computer? I will be installing this on client's computers so I don't if they use windows authenitcation?
0
 

Author Comment

by:mattphung
ID: 19606418
Also, how do I submit the user name and password with integrated security?
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19606487
>Does integrated security use windows atuhentication?
in short, it IS the same.

>Does integrated security work on any computer?
any computer that is in the same domain, ie trusted domain.

>Also, how do I submit the user name and password with integrated security?
you don't. windows will handle that, submitting the current windows username/password to the sql server box, which will then check with the registered logins based on windows logins...
0
 

Author Comment

by:mattphung
ID: 19610393
It's impossible for me to setup windows authentication on every client's computer. Is there a better way yet that is fairly secured? How do other computers that write software for the public protect their connection string from sniffers?
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19610432
>It's impossible for me to setup windows authentication on every client's computer.
you don't need anything on the client computer, except the proper connection string.

0
 

Author Comment

by:mattphung
ID: 19610519
Angell-
Do you know any website that will shows you how to setup integrated security on the database? How do I enter the clients computer name into the database? many thanks
0
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 1500 total points
ID: 19610616
integrated security means that you use the client user's windows account in the connection string automatically.
hence, the only thing you need to do is to create all those user accounts (or a common nt group account they are all part in) as Windows-Bases login in the sql server security folder, which will be named DOMAIN\LOGIN  or DOMAIN\GROUP, and you map that login like a normal sql account to the databases and grant permissions.
0
 

Author Comment

by:mattphung
ID: 19610719
For example, how does a big compnay like Norton grant database access to their anti-vairus software?
I have Norton Anti-varus installed on my computer. It communicates with the database to update it's definition so how does it know to grant me access? Did it registered my domain\login when it installed the application? Also, what domain\login of mine does Norton uses if I didn't create a domian/login? I really appreciate all the help you have given me thus far.
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 19610862
>For example, how does a big compnay like Norton grant database access to their anti-vairus software?
I have no idea...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am showing a way to read/import the excel data in table using SQL server 2005... Suppose there is an Excel file "Book1" at location "C:\temp" with column "First Name" and "Last Name". Now to import this Excel data into the table, we will use…
In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question