SQL Server Security Questions

We've been reviewing our PCI compliance and I am trying to make sure my bases are covered.  I'm wondering if there are any gaps in the security for my custom application.

I have an ecommerce website that stores information, including credit cards to a SQL Server Database.  The website and ordering process is secured by an SSL certificate.  The credit card info is transmitted and stored encrypted using MD5.  (We process credit cards offline)

My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.

In the program, I've stored the keys for decrypting the card info.  I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).

My connection string for SQL server looks something like this:  User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"

I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET.  Is this secure?

I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number.  And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.

Then again, I'm not a hacker.

So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?
LVL 1
slightlyoffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CodeCruiserCommented:
Is your SQL Server remote? Remember that the connection string is transmitted as plain text over network.
0
slightlyoffAuthor Commented:
The SQL Server is remote.

But I'm not connecting using HTTP, the program just calls the remote server: sql2k2.mydataserver.com  - is it still possible for someone to "listen" in on our private network?

Thanks for your response!
0
lcohanDatabase AnalystCommented:
"is it still possible for someone to "listen" in on our private network"
If you run that over a VPN connection then you should be safe in my opinion. Same here - we are PCI compliant and we run similar scenario for ecommerce website over secure VPN(cisco).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lcohanDatabase AnalystCommented:
One thing though - we encrypt the connection string regardless and please see below how to do that if you are not doing it allready - see "Security Note:" in article below and walk the path on those links:

http://msdn.microsoft.com/en-us/library/a65txexh(v=vs.90).aspx
0
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
Putting logins in connections strings is insecure in itself.  Best security on SQL consists of the following:
> Using exclusively Kerberos based Integrated Security.  Forget SQL based security.
> Not ever using granting downer privilege to any integrated login used by the application.  At most application logins should be no more than data reader and data writer.  If you know the name of the objects used by the application, go as granular as possible
> Disable any other protocol than TCPIP.  Change port by default to something else than 1433.
> Take away BUILT ADMIN  login for good
> Restrict client application host IP to only authorized hosts
> Limit the number of people who have sysadmin or dbo on any database to the strict minimum.

That should help you get started.  Hope this helps...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slightlyoffAuthor Commented:
Thank you all for your help.
I wasn't sure how to award points, since it was all helpful.

Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.