Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Does standrad security logins send passwords as clear text
78 views
Skip to first unread message
John Grant
Jul 24, 2008, 3:42:01 PM7/24/08
to
I am trying to confirm best practice security configuration and was under the
impression that when using SQL Server standard login i could see the user id
and password. I used NetMon v3.1 and this did not appear to be the case. I
see the queries to sysdatabases, but the IP packets before the query appear
to be encrypted. This would be good.
impression that when using SQL Server standard login i could see the user id
and password. I used NetMon v3.1 and this did not appear to be the case. I
see the queries to sysdatabases, but the IP packets before the query appear
to be encrypted. This would be good.
-John
Rick Byham, (MSFT)
Jul 28, 2008, 1:00:01 PM7/28/08
to
Assuming you are using SQL Server 2005 or 2008 the login is encrypted.
However, unless you have configured a certificate, you may have to worry
about a man-in-the-middle attack.
From Books Online: http://msdn.microsoft.com/en-us/library/ms189067.aspx
Credentials (in the login packet) that are transmitted when a client
application connects to SQL Server are always encrypted. SQL Server will use
a certificate from a trusted certification authority if available. If a
trusted certificate is not installed, SQL Server will generate a self-signed
certificate when the instance is started, and use the self-signed
certificate to encrypt the credentials. This self-signed certificate helps
increase security but it does not provide protection against identity
spoofing by the server. If the self-signed certificate is used, and the
value of the ForceEncryption option is set to Yes, all data transmitted
across a network between SQL Server and the client application will be
encrypted using the self-signed certificate.
CAUTION:
SSL connections that are encrypted by using a self-signed certificate do not
provide strong security. They are susceptible to man-in-the-middle attacks.
You should not rely on SSL using self-signed certificates in a production
environment or on servers that are connected to the Internet.
--
Rick Byham (MSFT), SQL Server Books Online
This posting is provided "AS IS" with no warranties, and confers no rights.
However, unless you have configured a certificate, you may have to worry
about a man-in-the-middle attack.
From Books Online: http://msdn.microsoft.com/en-us/library/ms189067.aspx
Credentials (in the login packet) that are transmitted when a client
application connects to SQL Server are always encrypted. SQL Server will use
a certificate from a trusted certification authority if available. If a
trusted certificate is not installed, SQL Server will generate a self-signed
certificate when the instance is started, and use the self-signed
certificate to encrypt the credentials. This self-signed certificate helps
increase security but it does not provide protection against identity
spoofing by the server. If the self-signed certificate is used, and the
value of the ForceEncryption option is set to Yes, all data transmitted
across a network between SQL Server and the client application will be
encrypted using the self-signed certificate.
CAUTION:
SSL connections that are encrypted by using a self-signed certificate do not
provide strong security. They are susceptible to man-in-the-middle attacks.
You should not rely on SSL using self-signed certificates in a production
environment or on servers that are connected to the Internet.
--
Rick Byham (MSFT), SQL Server Books Online
This posting is provided "AS IS" with no warranties, and confers no rights.
"John Grant" <John...@discussions.microsoft.com> wrote in message
news:58FA6362-9F57-4556...@microsoft.com...
0 new messages