Sniffing database connection string for SQL 2005

I created a login form for a desktop application. The user uses the form to authenticate against a SQL database. My question is: can the user use a sniffer to retrieve the database connection string when the application makes a connection to the database? Is there a standard way to protect the connection string?
mattphungAsked:
Who is Participating?
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
integrated security means that you use the client user's windows account in the connection string automatically.
hence, the only thing you need to do is to create all those user accounts (or a common nt group account they are all part in) as Windows-Bases login in the sql server security folder, which will be named DOMAIN\LOGIN  or DOMAIN\GROUP, and you map that login like a normal sql account to the databases and grant permissions.
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
he does not even need to use a sniffer if the connection string is not encrypted in the application / config file...

as from then, the connection string is not send via network, but only used locally with the odbc/oledb objects to establish the connection parameters, so you would need a memory "sniffer" ....
0
 
mattphungAuthor Commented:
I encrypted the connection string in the config file. After the application decrypt the cn string and put it into memory to be used then can someone capture the information in memory using a sniffer? What is the best way to prevent this? What is a good memory sniffer software?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
mattphungAuthor Commented:
What if I hard code the connection string in a module?
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
the only "secure" thing with sql server is to use integrated security, so no password will appear at all.
0
 
mattphungAuthor Commented:
how do you use integrated security? Can you give me an example of what  the connection string should look like?
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
0
 
mattphungAuthor Commented:
Does integrated security use windows atuhentication? Does integrated security work on any computer? I will be installing this on client's computers so I don't if they use windows authenitcation?
0
 
mattphungAuthor Commented:
Also, how do I submit the user name and password with integrated security?
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
>Does integrated security use windows atuhentication?
in short, it IS the same.

>Does integrated security work on any computer?
any computer that is in the same domain, ie trusted domain.

>Also, how do I submit the user name and password with integrated security?
you don't. windows will handle that, submitting the current windows username/password to the sql server box, which will then check with the registered logins based on windows logins...
0
 
mattphungAuthor Commented:
It's impossible for me to setup windows authentication on every client's computer. Is there a better way yet that is fairly secured? How do other computers that write software for the public protect their connection string from sniffers?
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
>It's impossible for me to setup windows authentication on every client's computer.
you don't need anything on the client computer, except the proper connection string.

0
 
mattphungAuthor Commented:
Angell-
Do you know any website that will shows you how to setup integrated security on the database? How do I enter the clients computer name into the database? many thanks
0
 
mattphungAuthor Commented:
For example, how does a big compnay like Norton grant database access to their anti-vairus software?
I have Norton Anti-varus installed on my computer. It communicates with the database to update it's definition so how does it know to grant me access? Did it registered my domain\login when it installed the application? Also, what domain\login of mine does Norton uses if I didn't create a domian/login? I really appreciate all the help you have given me thus far.
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
>For example, how does a big compnay like Norton grant database access to their anti-vairus software?
I have no idea...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.