tags:

views:

273

answers:

4
+4  Q: 

SQL Server 2005: How Secure is SQL Server Authentication?

If you use SQL Server Authentication (2005), are the login details sent in clear text over the wire?

+2  A: 

The credentials are sent in clear text.

You can probably find a number of sources for this, but here's one:

"Secure the channel between the Web server and database server because credentials are passed in an unencrypted format. For example, use SSL or IPSec."

DOK  2010-01-29 17:23:56
Interestingly this is the posting I found that lead to me posting my question. It also appears to directly contradict this other MSDN post: http://msdn.microsoft.com/en-us/library/ms189067.aspx
Noel Kennedy  2010-02-01 11:27:38
So either the asp.net best practice guide is wrong or the Encrypting SQL Server 2005 connections MSDN article is wrong....
Noel Kennedy  2010-02-01 11:28:27
+2  A: 

Here's a link to some security best practices for SQL 2005. That doc states in part:

In Windows Authentication mode, specific Windows user and group accounts are trusted to log in to SQL Server. Windows credentials are used in the process; that is, either NTLM or Kerberos credentials. Windows accounts use a series of encrypted messages to authenticate to SQL Server; no passwords are passed across the network during the authentication process. When SQL logins are used, SQL login passwords are passed across the network for authentication. This makes SQL logins less secure than Windows logins.

JP Alioto  2010-01-29 17:24:06
Think Noel was asking about SQL server auth, not Windows auth
JonoW  2010-01-29 17:27:14
Quite right, thank you. Fixed. In other news, people still use mixed mode? :)
JP Alioto  2010-01-29 17:36:47
Sadly yes, deploying an app to an environment without a domain...
Noel Kennedy  2010-01-29 18:41:46
And it's difficult to use Windows Auth when the client is `NETWORK SERVICE` or some other low-privileged account...
Aaronaught  2010-01-30 04:19:52
This doc is also ambiguous. 'When SQL logins are used, SQL login passwords are passed across the network for authentication', but in the clear or via a secure comms protocol? Also, 'there are security improvements for SQL logins in SQL Server 2005 ... These improvements include ... better encryption when SQL passwords are passed over the network'
Noel Kennedy  2010-02-01 11:31:44
And maddingly 'SQL Server 2005 can use an encrypted channel for two reasons: to encrypt credentials for SQL logins'It can! Or it does!!!!!
Noel Kennedy  2010-02-01 11:32:22
'The other reason for using SSL is to encrypt credentials during the login process for SQL logins when a password is passed across the network.' However, this doc implies that all this is optional rather than by default.
Noel Kennedy  2010-02-01 11:33:46
+2  A: 

As secure as you want to make it...

you can configure SSL fairly easily, and if you don't have a trusted cert, if you force encryption, SQL Server can create/issue it's own self signed cert for your use...from this write-up

Credentials (in the login packet) that are transmitted when a client application connects to SQL Server are always encrypted. SQL Server will use a certificate from a trusted certification authority if available. If a trusted certificate is not installed, SQL Server will generate a self-signed certificate when the instance is started, and use the self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security but it does not provide protection against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application will be encrypted using the self-signed certificate

curtisk  2010-01-29 17:33:31
Agreed, but all of this encryption effort eliminates the performance advantage of using SQL authentication. But then, not everyone has a choice of using Windows authentication.
DOK  2010-01-29 17:45:42
that's the classic trade-off, ain't it, performance versus security?
curtisk  2010-01-29 17:57:29
Still not 100% sure that SQL credentials are always sent securely, but I think your link is about as clear as MS have made it. 'Credentials (in the login packet) that are transmitted when a client application connects to SQL Server are always encrypted', but given this phrase comes halfway through a a section for how to setup SQL to use SSL it's still slightly ambiguous (or maybe I am being too cautious!)
Noel Kennedy  2010-02-01 11:24:12
A: 

Apart from the fact that passwords are sent in clear text, it is also possible to replace the hash of the password.

Giorgi  2010-01-29 18:00:41

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?