Re: IIS to SQL Server security

From: Jasper Smith (jasper_smith9_at_hotmail.com)
Date: 08/21/03

• Next message: Shawn Aebi [MSFT]: "RE: MS03-033 Unchecked Buffer in MDAC"
• Previous message: Dan Guzman: "Re: sp_addrolemember with Windows SQL Server Login"
• In reply to: Richard Benson: "IIS to SQL Server security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 21 Aug 2003 21:24:30 +0100

Almost all traffic is passed in the clear. SQL passwords are "encrypted" but
not very strongly - it's easily broken from a network trace, this is why
Windows authentication is preferred, no password is passed to SQL. All plain
TSQL batches and results are passed in clear text unless you use something
like SSL to encrypt the communication.

-- 
HTH
Jasper Smith (SQL Server MVP)
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Richard Benson" <rbenson@hmrcorp.com> wrote in message
news:eySq2bBaDHA.652@TK2MSFTNGP10.phx.gbl...
Probably a simple question for all the SQL experts here, but I have not been
able to find a definitive answer on the web.
What data is exposed as clear text when Web applications communicate thru
IIS over an intranet with a separate SQL Server(SQL 2000)? By using a packet
sniffer, we've seen query results and stored procedure names. Is it correct
in assuming that login info and parameters passed to stored
procedures/functions are not passed over the network as clear text but that
query results are?
Any insight into this is greatly appreciated.

---

• Next message: Shawn Aebi [MSFT]: "RE: MS03-033 Unchecked Buffer in MDAC"
• Previous message: Dan Guzman: "Re: sp_addrolemember with Windows SQL Server Login"
• In reply to: Richard Benson: "IIS to SQL Server security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: local admin account password ... > encrypt the database and create alerts in the event of unsuccessful ... >> no more recovery console and don't think cached logins will work. ... >> The DB file would be encrypted with EFS so only the limited user SQL ... >> itself doesn't really need to be secure as the authentication is based ... (Focus-Microsoft) Re: SQL Server 2000 / 2005 Encryption ... encrypting the connection makes sense to me. ... This is possible on SQL 2005 via built-in T-SQL statements and functions, but requires 3rd-party tools, usually some sort of extended procedures. ... to encrypt your SSL connections will be different. ... Excel does not know how to decrypt data stored in SQL Server 2005 in encrypted form. ... (microsoft.public.sqlserver.security) Re: SQL Server Encrypt, Failure.. ... This function doesn't encrypt at ... (Not that I had too high of expectations for a undocumented SQL ... Declare @Password2 nvarchar ... > Bill Dodd ... (microsoft.public.sqlserver.server) Re: Web.config encryption in shared hosting scenario ... I just begin to search for a solution because the customer does not allow ... like to encrypt the database connection string located in the web.config. ... I am connecting to the SQL ... (microsoft.public.dotnet.framework.aspnet.security) Re: Encrypting data in existin application ... You're dealing with a very tough problem...even if you did encrypt the data, ... Are they going to be in the SQL database somewhere ... This is especiall with regards to int and decimal ... (microsoft.public.sqlserver.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)