Re: Authentication to server with SSL through firewall

From: Kevin McDonnell [MSFT] (kevmc_at_online.microsoft.com)
Date: 12/05/03 

Date: Fri, 05 Dec 2003 19:15:14 GMT

I'll try to answer the remaining questions/concerns.

1.The client is my Web Server. And the the servers could be all over the
world, each one with its own firewall. Will Windows authentication work over
the firewall? I saw articles about having to open port 445 which is
unsecure.

Answer:
Windows Authenticated connections require that the user establishing the
connection has been authenticated on the domain. Internet based web
applications typically don't support Windows Authentication. Typically,
internet web based servers are not trusted by remote SQL servers behind a
firewall. Most internet web applications use either annonymous or Basic
authentication with SSL.

Intranet (internal )web based applications can take advantage of Windows NT
Authentication.

There are numerous ports required for Windows Authentication to work
accross a firewall. It would not be feasible to open these ports up for a
remote, untrusted web server. The example I mentioned the other day is an
example where the web server resides in a DMZ with a 1 way trust to the
internal DC. If you review this example, I think it will make more sense.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/comm/comm2002/deploy/SecCncpt.asp

2. The question about this case is whether the connection string is
encrypted
or now. If it is not, I don't like the idea of sending credentials as plain
text.

Answer:
By default dblibrary applications will send the connection string in the
clear. ODBC applications will encrypt the string, but it is not strong
encryption. If you put server certificates on the SQL Server then the
logins are encrypted in a more secure manner. The data portion is still
not encrypted unless you specify the client use "force protocol encryption".

 To verify this you can review a network trace of your application
establishing a connection to SQL Server using Standard Security.
(Supplying a SQL username and password). I would recommend this to anyone
concerned about what information is being passed on the wire, before
deploying their application. This is documented on our Technet web site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/sql/maintain/security/sp3sec/default.asp

3. This is not clear to me. What do you mean by Standard Security? How
else, if
not by SSL encryption, can I secure connection strings to avoid sending it
as plain text?

Answer: Standard Security == SQL Security. SQL Security is when you have a
SQL User account and SQL password to authenticate to the SQL Server. The
logins used for SQL Server are stored in the master database, and don't
require password complexity or have expiration time periods as NT logins
would.

You can secure the connections strings by using DPAPI. Here's an example:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetch12.asp
also
Storing Database Connection Strings Securely
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetch05.asp

Hope this helps!

Thanks,

Kevin McDonnell
Microsoft Corporation

This posting is provided AS IS with no warranties, and confers no rights.

Relevant Pages