Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Server Security Questions

Posted on 2012-03-20
6
Medium Priority
?
385 Views
Last Modified: 2012-06-27
We've been reviewing our PCI compliance and I am trying to make sure my bases are covered.  I'm wondering if there are any gaps in the security for my custom application.

I have an ecommerce website that stores information, including credit cards to a SQL Server Database.  The website and ordering process is secured by an SSL certificate.  The credit card info is transmitted and stored encrypted using MD5.  (We process credit cards offline)

My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.

In the program, I've stored the keys for decrypting the card info.  I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).

My connection string for SQL server looks something like this:  User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"

I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET.  Is this secure?

I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number.  And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.

Then again, I'm not a hacker.

So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?
0
Comment
Question by:slightlyoff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 83

Assisted Solution

by:CodeCruiser
CodeCruiser earned 668 total points
ID: 37743679
Is your SQL Server remote? Remember that the connection string is transmitted as plain text over network.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 37744337
The SQL Server is remote.

But I'm not connecting using HTTP, the program just calls the remote server: sql2k2.mydataserver.com  - is it still possible for someone to "listen" in on our private network?

Thanks for your response!
0
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 664 total points
ID: 37744681
"is it still possible for someone to "listen" in on our private network"
If you run that over a VPN connection then you should be safe in my opinion. Same here - we are PCI compliant and we run similar scenario for ecommerce website over secure VPN(cisco).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 40

Expert Comment

by:lcohan
ID: 37744705
One thing though - we encrypt the connection string regardless and please see below how to do that if you are not doing it allready - see "Security Note:" in article below and walk the path on those links:

http://msdn.microsoft.com/en-us/library/a65txexh(v=vs.90).aspx
0
 
LVL 23

Accepted Solution

by:
Racim BOUDJAKDJI earned 668 total points
ID: 37744816
Putting logins in connections strings is insecure in itself.  Best security on SQL consists of the following:
> Using exclusively Kerberos based Integrated Security.  Forget SQL based security.
> Not ever using granting downer privilege to any integrated login used by the application.  At most application logins should be no more than data reader and data writer.  If you know the name of the objects used by the application, go as granular as possible
> Disable any other protocol than TCPIP.  Change port by default to something else than 1433.
> Take away BUILT ADMIN  login for good
> Restrict client application host IP to only authorized hosts
> Limit the number of people who have sysadmin or dbo on any database to the strict minimum.

That should help you get started.  Hope this helps...
0
 
LVL 1

Author Closing Comment

by:slightlyoff
ID: 37753088
Thank you all for your help.
I wasn't sure how to award points, since it was all helpful.

Thanks again!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
An alternative to the "For XML" way of pivoting and concatenating result sets into strings, and an easy introduction to "common table expressions" (CTEs). Being someone who is always looking for alternatives to "work your data", I came across this …
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question