Re: SQL Server Authentication hacking

From: Richard Waymire [MS] (rwaymi_ms@microsoft.com)
Date: 09/24/02

• Next message: Ing. Juan Manuel Alegrķa B.: "How to execute script.sql from VB6"
• Previous message: Peter van der Veen: "How to change the owner of a table in SQL 65?"
• In reply to: jimmers: "Re: SQL Server Authentication hacking"
• Next in thread: Steve Hendricks: "Re: SQL Server Authentication hacking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Richard Waymire [MS]" <rwaymi_ms@microsoft.com>
Date: Tue, 24 Sep 2002 09:12:55 -0700

Which is why it's a good idea to use either IPSec or SSL encryption for your
connections :-)

--
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"jimmers" <jimmers@yandex.ru> wrote in message
news:#jY9#m7YCHA.2532@tkmsftngp12...
> Maybe You mean "vulnerable"? If so, SQL Server Authentication
> is vulnerable to sniffers that can decrypt password. Other information
> (like User ID, Initial Catalog etc) is sent over wire unencrypted.
>
> Cheers
> jimmers
>
>
> "dave" <david_whitehouse@embanet.com> wrote in message
> news:73c101c263b8$01ba3cf0$3bef2ecf@TKMSFTNGXA10...
> > I currently connect to SQL 7 and 2K servers using SQL
> > server authentication. This means that in the connection
> > string from the VB client application the username and
> > password is passed across the network (connection string
> > is shown below and uses ADO 2.7)
> >
> > I am trying to find out if this method is venerable to
> > hackers who could potentially get this information and
> > then log in themselves. Is this the case or is the
> > information encrypted?
> >
> >
> > db.Open "Provider=SQLOLEDB.1;Password=xyz;Persist Security
> > Info=False;User ID=abc;Initial Catalog=DBname;Data
> > Source=servername"
> >
>
>

• Next message: Ing. Juan Manuel Alegrķa B.: "How to execute script.sql from VB6"
• Previous message: Peter van der Veen: "How to change the owner of a table in SQL 65?"
• In reply to: jimmers: "Re: SQL Server Authentication hacking"
• Next in thread: Steve Hendricks: "Re: SQL Server Authentication hacking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Complicated Connection Problems bewteen ADP and SQL Server ... front end on the 5-8 workstations where the users happen to sit. ... expertise for getting the user workstations talking to the SQL Server. ... connection would fail and the adp wouldn't be able to talk to the server. ... thought that I should instead change my connection string to something ... (microsoft.public.access.adp.sqlserver) Re: ASP.net and Oracle error System.Data.OleDb.OleDbException ... Also see http://www.connectionstrings.com/ and try other providers ... > Here is some of my connection code: ... >> And are you sure your connection string is ok. ... >>> Oracle error occurred, but error message could not be retrieved from ... (microsoft.public.dotnet.framework.aspnet) Re: Changing Connection String programmatically ... This is a good situation for putting the connection string information in the app.config file. ... every year we will create new database. ... change the body of the private void InitConnection(), ... (microsoft.public.sqlserver.connect) Re: Deployment + Vista ... I'm talking about the user being able to edit the server connection setting ... MSI will allow you to edit the app directory, ... function in order to put together the connection string something like: ... (microsoft.public.dotnet.framework.adonet) Re: Building SQL connection string in code-behind file. Works on my machine, not on server. ... you're using linked services please check out this KB article: ... If you're not using linked services please tell me if the database server ... connection string in web.config. ... (microsoft.public.dotnet.framework.aspnet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint