Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SQL Server Security Questions

Posted on 2012-03-20
6
Medium Priority
?
387 Views
Last Modified: 2012-06-27
We've been reviewing our PCI compliance and I am trying to make sure my bases are covered.  I'm wondering if there are any gaps in the security for my custom application.

I have an ecommerce website that stores information, including credit cards to a SQL Server Database.  The website and ordering process is secured by an SSL certificate.  The credit card info is transmitted and stored encrypted using MD5.  (We process credit cards offline)

My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.

In the program, I've stored the keys for decrypting the card info.  I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).

My connection string for SQL server looks something like this:  User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"

I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET.  Is this secure?

I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number.  And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.

Then again, I'm not a hacker.

So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?
0
Comment
Question by:slightlyoff
6 Comments
 
LVL 83

Assisted Solution

by:CodeCruiser
CodeCruiser earned 668 total points
ID: 37743679
Is your SQL Server remote? Remember that the connection string is transmitted as plain text over network.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 37744337
The SQL Server is remote.

But I'm not connecting using HTTP, the program just calls the remote server: sql2k2.mydataserver.com  - is it still possible for someone to "listen" in on our private network?

Thanks for your response!
0
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 664 total points
ID: 37744681
"is it still possible for someone to "listen" in on our private network"
If you run that over a VPN connection then you should be safe in my opinion. Same here - we are PCI compliant and we run similar scenario for ecommerce website over secure VPN(cisco).
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 40

Expert Comment

by:lcohan
ID: 37744705
One thing though - we encrypt the connection string regardless and please see below how to do that if you are not doing it allready - see "Security Note:" in article below and walk the path on those links:

http://msdn.microsoft.com/en-us/library/a65txexh(v=vs.90).aspx
0
 
LVL 23

Accepted Solution

by:
Racim BOUDJAKDJI earned 668 total points
ID: 37744816
Putting logins in connections strings is insecure in itself.  Best security on SQL consists of the following:
> Using exclusively Kerberos based Integrated Security.  Forget SQL based security.
> Not ever using granting downer privilege to any integrated login used by the application.  At most application logins should be no more than data reader and data writer.  If you know the name of the objects used by the application, go as granular as possible
> Disable any other protocol than TCPIP.  Change port by default to something else than 1433.
> Take away BUILT ADMIN  login for good
> Restrict client application host IP to only authorized hosts
> Limit the number of people who have sysadmin or dbo on any database to the strict minimum.

That should help you get started.  Hope this helps...
0
 
LVL 1

Author Closing Comment

by:slightlyoff
ID: 37753088
Thank you all for your help.
I wasn't sure how to award points, since it was all helpful.

Thanks again!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question