[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How can I encrypt SQL Server Authentication credentials?

Posted on 2007-12-06
8
Medium Priority
?
1,688 Views
Last Modified: 2008-03-07
We have a SQL Server 2005 server which is not part of a domain. We want to use SQL Server Authentication in order to connect to this server, but want the login credentials to be encrypted when the connection attempts to the servers are made so that no one can sniff out the credentials. Using Windows Authentication is not an option at all.

This is a highly sensitive server and we want to ensure that no one will be able to sniff out the login credentials as a user attempts to connect to the SQL Server, this is why we need to be able to encrypt the credentials as the connection attempt is made.
0
Comment
Question by:nyphalanx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 17

Expert Comment

by:Chris Mangus
ID: 20423693
How are you accessing the server?  Perhaps SSL is your answer.
0
 
LVL 27

Expert Comment

by:ptjcb
ID: 20423698
The issue that you have is that SQL Authentication uses a hash, not encryption, for passwords.

FROM http://blogs.msdn.com/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx

When a login occurs, the password submitted by the user is hashed and compared to the stored hash - if they match, the password is accepted and the login succeeds.

You can encrypt the connection string

http://msdn2.microsoft.com/en-us/library/ms998300.aspx

To help make sure that the SQL account credentials remain confidential, you should encrypt the connection string in the Web.config file. To do so, you use the Aspnet_regiis utility with either the Windows Data Protection API (DPAPI) or RSA protected configuration providers.
0
 
LVL 17

Expert Comment

by:Chris Mangus
ID: 20423701
BOL has a topic on it at:  ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/e1e55519-97ec-4404-81ef-881da3b42006.htm
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:nyphalanx
ID: 20428616
I'm not concerned about having the connection string encrypted inside my web.config or any other type of configuration file. I just want to be sure that it is not in plain text as the connection is made accross the network. Reading ptjcb's reply SQL Authentication uses a hash? So does this mean that as the connection is made to SQL Server that the login credentials are not sent accross in plain text, is this the default behavior?
0
 
LVL 17

Accepted Solution

by:
Chris Mangus earned 1000 total points
ID: 20428907
Yes, it does use a hash.  However, that doesn't give you real security.  For instance, I can brute force hack a hashed password using the undocumented PWDCOMPARE function.  

You really need an encrypted pipe between your application server and your database server if you want real security.
0
 
LVL 27

Expert Comment

by:ptjcb
ID: 20430135
How are you making the connection across the network? Is this an internal network or is it connected using the Web? Are you using SSL, ASP.NET?

The default login credentials are in plain text.

0
 

Author Comment

by:nyphalanx
ID: 20430156
It is an internal network, and we're just using a VBA excel program to make our database connections. We just want to make sure that even though we're using SQL Server authentication that the password is not sent accross the network in plain text.
0
 
LVL 27

Expert Comment

by:ptjcb
ID: 20430219
Just from your description, I would say that, yes, you are sending the connection information across as plain text.

Are you using ODBC? SQL Server Native connection? Are you using a connection string? How is the Excel program accessing the server?

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Check out what's been happening in the Experts Exchange community.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question