encrypt vs. Integrated Security vs. Persist Security Info
- From: Dino Buljubasic <dino@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Aug 2005 18:48:35 GMT
Can somebody explain me this please. This is what I read in one
article:
Protect the Credentials for SQL Server Authentication
If you must use SQL Server Authentication, make sure the credentials
are not sent over an unencrypted channel in plain text. You must also
encrypt the database connection string before storing it, because it
contains credentials. To secure the connection string, use DPAPI.
To enable SQL Server to automatically encrypt the credentials sent
over a network, install a server certificate on the database server.
Alternatively, use an IPSec encrypted channel between Web and database
server.
now, I know of 3 properties in connection string:
1. encrypt - which requires SSL Certificate installed on SQL Server
2. Integrated Security or Trusted_Connection - which when set to true
uses Windows account credentials for authentication. When set to
false, user id and password are specified in connection string
3. Persist Security Info - which set to false does not provide
sensitive info such as user id and password
My questions is how much that number 3 protects my connection string
properties (such as user id and password) from sniffing if at all and
if not, what is the real purpose of this property?
Thank you
Dino
.
- Follow-Ups:
- Re: encrypt vs. Integrated Security vs. Persist Security Info
- From: William \(Bill\) Vaughn
- Re: encrypt vs. Integrated Security vs. Persist Security Info
- Prev by Date: Re: SQL Query Question (Access)
- Next by Date: SQL Query Question (Access)
- Previous by thread: SQL Query Question (Access)
- Next by thread: Re: encrypt vs. Integrated Security vs. Persist Security Info
- Index(es):
Relevant Pages
|
