Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 391
  • Last Modified:

SQL Server Security Questions

We've been reviewing our PCI compliance and I am trying to make sure my bases are covered.  I'm wondering if there are any gaps in the security for my custom application.

I have an ecommerce website that stores information, including credit cards to a SQL Server Database.  The website and ordering process is secured by an SSL certificate.  The credit card info is transmitted and stored encrypted using MD5.  (We process credit cards offline)

My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.

In the program, I've stored the keys for decrypting the card info.  I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).

My connection string for SQL server looks something like this:  User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"

I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET.  Is this secure?

I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number.  And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.

Then again, I'm not a hacker.

So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?
0
slightlyoff
Asked:
slightlyoff
3 Solutions
 
CodeCruiserCommented:
Is your SQL Server remote? Remember that the connection string is transmitted as plain text over network.
0
 
slightlyoffAuthor Commented:
The SQL Server is remote.

But I'm not connecting using HTTP, the program just calls the remote server: sql2k2.mydataserver.com  - is it still possible for someone to "listen" in on our private network?

Thanks for your response!
0
 
lcohanDatabase AnalystCommented:
"is it still possible for someone to "listen" in on our private network"
If you run that over a VPN connection then you should be safe in my opinion. Same here - we are PCI compliant and we run similar scenario for ecommerce website over secure VPN(cisco).
0
A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

 
lcohanDatabase AnalystCommented:
One thing though - we encrypt the connection string regardless and please see below how to do that if you are not doing it allready - see "Security Note:" in article below and walk the path on those links:

http://msdn.microsoft.com/en-us/library/a65txexh(v=vs.90).aspx
0
 
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
Putting logins in connections strings is insecure in itself.  Best security on SQL consists of the following:
> Using exclusively Kerberos based Integrated Security.  Forget SQL based security.
> Not ever using granting downer privilege to any integrated login used by the application.  At most application logins should be no more than data reader and data writer.  If you know the name of the objects used by the application, go as granular as possible
> Disable any other protocol than TCPIP.  Change port by default to something else than 1433.
> Take away BUILT ADMIN  login for good
> Restrict client application host IP to only authorized hosts
> Limit the number of people who have sysadmin or dbo on any database to the strict minimum.

That should help you get started.  Hope this helps...
0
 
slightlyoffAuthor Commented:
Thank you all for your help.
I wasn't sure how to award points, since it was all helpful.

Thanks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now