Re: SQL Server Authentication



Thanks Jasper,

Therefore, if I understand this correctly, there isn't a need to use SSL
between the webserver application and the sql server as the login is
encrypted and cannot be swiped in transit? I agree, I prefer to Windows
Authentication, however, the web server is residing in the DMZ in a
workgroup.

Thanks

Rustom


"Jasper Smith" <jasper_smith9@xxxxxxxxxxx> wrote in message
news:OmUak8X7GHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
In SQL2005, the login handshake for a sql login is encrypted by a self
generated certificate so no, it's not transmitted in the clear. Passwords
for sql logins are also subject (or rather they can be) to your domain
policies for expiration and complexity so all in all it's a lot better
that it was previously. The best practice is still Windows authentication
but there's a lot less risk with SQL authentication now.

--
HTH,
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com


"Rustom" <RustomNB@xxxxxxxxxxx> wrote in message
news:ejcYreM7GHA.660@xxxxxxxxxxxxxxxxxxxxxxx
I am running SQL Server 2005 in a Windows Server 2003 domain and utilizing
Windows Authentication. I have a webserver running a Visual Studio
application which resides in the DMZ on a Windows Workgroup. From a
security perspective what is the best practice with regards to how this
application should connect to SQL? I would like this application to use
Windows Authentication, however, I am assuming this is not possible as the
webserver is in the DMZ and not part of the domain. If this application
uses SQL Authentication is the password transmitted in clear text?

Thanks

Rustom





.