Re: encrypt vs. Integrated Security vs. Persist Security Info

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

#3 simply protects the ConnectionString from being "sniffed" by other parts
of your application that have access to the Connection object--even
indirectly. Once set the ConnectionString not longer includes the security
credentials--it's kept behind the scenes so ADO can use it, but it's not
exposed by inspection.

hth

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

"Dino Buljubasic" <dino@xxxxxxxxxxxxxxxxxxx> wrote in message
news:vil9g193elig6a29ip716hn2p0ost64n6g@xxxxxxxxxx
> Can somebody explain me this please. This is what I read in one
> article:
>
> Protect the Credentials for SQL Server Authentication
>
> If you must use SQL Server Authentication, make sure the credentials
> are not sent over an unencrypted channel in plain text. You must also
> encrypt the database connection string before storing it, because it
> contains credentials. To secure the connection string, use DPAPI.
>
> To enable SQL Server to automatically encrypt the credentials sent
> over a network, install a server certificate on the database server.
> Alternatively, use an IPSec encrypted channel between Web and database
> server.
>
> now, I know of 3 properties in connection string:
> 1. encrypt - which requires SSL Certificate installed on SQL Server
> 2. Integrated Security or Trusted_Connection - which when set to true
> uses Windows account credentials for authentication. When set to
> false, user id and password are specified in connection string
> 3. Persist Security Info - which set to false does not provide
> sensitive info such as user id and password
>
> My questions is how much that number 3 protects my connection string
> properties (such as user id and password) from sniffing if at all and
> if not, what is the real purpose of this property?
>
> Thank you
> Dino


.

Relevant Pages

  • SQL connection string security (Summary, I think)
    ... Security through obscurity is a horrible concept, and you are correct that eventually someone will find it. ... And again, noting the most common bugs/exploits in web-servers tend to be file disclosure problems, my basic premise remains intact, keep the connection string out of the file-system. ... I'm telling you from experience that if you use standard SQL Server security ... > Now, the "shell game" thing. ...
    (Focus-Microsoft)
  • Re: One Connection String for Multiple Users (SQL)
    ... Hitchhiker’s Guide to Visual Studio and SQL Server ... "William Vaughn" wrote: ... This uses the> same connection string for all instances of the application. ...
    (microsoft.public.sqlserver.connect)
  • Re: web service for accessing db?
    ... It all depends on how much security you want to put into your application. ... VPN only protects the data transport and authentication but it doesn't protect your application. ... If your application can get to the connection string then any user with same credentials can get to it. ...
    (microsoft.public.dotnet.framework.adonet)
  • RE: How do I configure Analysis Services for Excel 2003 users?
    ... they had had Office 2003 installed AFTER SQL Server. ... > I have been preparing a set of cubes in Analysis Services 2005 to be viewed ... > Excel reports have been designed as pivot tables based on AS cubes, ... > Surely it must be that the connection string is incorrect but I seem to have ...
    (microsoft.public.sqlserver.olap)
  • Re: Connecting to Sql Server using an IP address
    ... using IP address without port number (default port number ... of SQL Server is 1433) cannot connect to the SQL Server on a remote ... name in the connection string can connect the remote machine successfully. ... Microsoft Online Community Support ...
    (microsoft.public.dotnet.framework.adonet)