Solved

SQL Server Security Questions

Posted on 2012-03-20
6
380 Views
Last Modified: 2012-06-27
We've been reviewing our PCI compliance and I am trying to make sure my bases are covered.  I'm wondering if there are any gaps in the security for my custom application.

I have an ecommerce website that stores information, including credit cards to a SQL Server Database.  The website and ordering process is secured by an SSL certificate.  The credit card info is transmitted and stored encrypted using MD5.  (We process credit cards offline)

My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.

In the program, I've stored the keys for decrypting the card info.  I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).

My connection string for SQL server looks something like this:  User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"

I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET.  Is this secure?

I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number.  And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.

Then again, I'm not a hacker.

So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?
0
Comment
Question by:slightlyoff
6 Comments
 
LVL 83

Assisted Solution

by:CodeCruiser
CodeCruiser earned 167 total points
ID: 37743679
Is your SQL Server remote? Remember that the connection string is transmitted as plain text over network.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 37744337
The SQL Server is remote.

But I'm not connecting using HTTP, the program just calls the remote server: sql2k2.mydataserver.com  - is it still possible for someone to "listen" in on our private network?

Thanks for your response!
0
 
LVL 39

Assisted Solution

by:lcohan
lcohan earned 166 total points
ID: 37744681
"is it still possible for someone to "listen" in on our private network"
If you run that over a VPN connection then you should be safe in my opinion. Same here - we are PCI compliant and we run similar scenario for ecommerce website over secure VPN(cisco).
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 39

Expert Comment

by:lcohan
ID: 37744705
One thing though - we encrypt the connection string regardless and please see below how to do that if you are not doing it allready - see "Security Note:" in article below and walk the path on those links:

http://msdn.microsoft.com/en-us/library/a65txexh(v=vs.90).aspx
0
 
LVL 23

Accepted Solution

by:
Racim BOUDJAKDJI earned 167 total points
ID: 37744816
Putting logins in connections strings is insecure in itself.  Best security on SQL consists of the following:
> Using exclusively Kerberos based Integrated Security.  Forget SQL based security.
> Not ever using granting downer privilege to any integrated login used by the application.  At most application logins should be no more than data reader and data writer.  If you know the name of the objects used by the application, go as granular as possible
> Disable any other protocol than TCPIP.  Change port by default to something else than 1433.
> Take away BUILT ADMIN  login for good
> Restrict client application host IP to only authorized hosts
> Limit the number of people who have sysadmin or dbo on any database to the strict minimum.

That should help you get started.  Hope this helps...
0
 
LVL 1

Author Closing Comment

by:slightlyoff
ID: 37753088
Thank you all for your help.
I wasn't sure how to award points, since it was all helpful.

Thanks again!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL Pivot with row total 5 26
Name Space error VS2015 1 22
SQL USE DATABASE VARIABLE 5 27
SQL Availablity Groups Shared Path 2 13
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Viewers will learn how the fundamental information of how to create a table.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question