Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««1234

Connection Problems Expand / Collapse
Author
Message
Posted Monday, February 7, 2011 11:19 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Friday, September 5, 2014 2:00 PM
Points: 2,160, Visits: 2,191
Thanks for the question, it is good to bring up the deprecation of features, and show the alternative.
Post #1059790
Posted Monday, February 7, 2011 11:31 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, January 31, 2013 8:01 AM
Points: 1,228, Visits: 1,046
RichB (2/7/2011)
What with them being inherently, disgracefully insecure.

Are you talking about the fact that they have to be stored in plain text in connection strings that are at the Least a read only file for all users?
Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<

Ok, you are talking about the same limitation all network applications that use login packets to support application user logins stored in the application. SNMP, POP, SQL, FTP, NNTP, etc...

IMHO: If your network security is so lax that just anyone can install and use a packet sniffer to get this data, there is not an application security issue.
Post #1059798
Posted Monday, February 7, 2011 11:39 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, November 21, 2014 4:43 PM
Points: 1,357, Visits: 1,726
SanDroid (2/7/2011)
RichB (2/7/2011)
What with them being inherently, disgracefully insecure.

Are you talking about the fact that they have to be stored in plain text in connection strings that are at the Least a read only file for all users?
Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<

Ok, you are talking about the same limitation all network applications that use login packets to support application user logins stored in the application. SNMP, POP, SQL, FTP, NNTP, etc...

IMHO: If your network security is so lax that just anyone can install and use a packet sniffer to get this data, there is not an application security issue.


Yes there is. Just because you also have a network security issue doesn't mean that the application security issue can be ignored. That's why when possible you use secure versions of those protocols (usually the same protocol encrypted via SSH or SSL). Or you use alternative authentication mechanisms like Windows-based authentication with Kerberos as opposed to SQL user logins.

Yes, we use some SQL logins here, but only when the application requires it and only after evaluating other options and mitigation opportunities. It is a serious security issue, and hiding it under network security issues does nobody any good.
Post #1059802
Posted Monday, February 7, 2011 11:55 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Friday, September 5, 2014 2:00 PM
Points: 2,160, Visits: 2,191
RichB (2/7/2011)
For anyone that hasn't I strongly recommend using your favourite packet sniffer (wireshark for instance) to trace the local network while you log in with a sql login. Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<


Is that true even if you are using encrypted connections?
Post #1059810
Posted Monday, February 7, 2011 12:24 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, October 21, 2014 6:56 AM
Points: 3,352, Visits: 1,487
RichB (2/7/2011)
Ah, not the missing option of 'wtf are you using sql logins in production for anyway?'

What with them being inherently, disgracefully insecure.

For anyone that hasn't I strongly recommend using your favourite packet sniffer (wireshark for instance) to trace the local network while you log in with a sql login. Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<



So what do you use when you've got an application on a standalone (non-domain) web server connecting to a DB server behind a firewall? Mirrored local accounts? I keep looking for decent ways to avoid using SQL logins in this scenario, but nothing I come up with seems to work as well or be as easy to maintain.
Post #1059843
Posted Tuesday, February 8, 2011 10:12 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Wednesday, October 23, 2013 7:57 AM
Points: 1,110, Visits: 1,148
Regarding SQL logins, I think the point here is to use them as a last resort when no other options are available.

In a web server/db server example, you could only allow the web server to communicate with a 'data broker' https web service, and then use windows authentication to permit that broker to connect to the SQL database. You could then use a client cert to secure the data broker web service, and only load that cert into the account that runs your app pool, making sure your website is the only website in that app pool (IIS solution).

But yeah with a vendor supplied solution you can often be left with no other option.
Post #1060408
Posted Tuesday, February 8, 2011 11:18 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, October 21, 2014 6:56 AM
Points: 3,352, Visits: 1,487
marklegosz (2/8/2011)
Regarding SQL logins, I think the point here is to use them as a last resort when no other options are available.

In a web server/db server example, you could only allow the web server to communicate with a 'data broker' https web service, and then use windows authentication to permit that broker to connect to the SQL database. You could then use a client cert to secure the data broker web service, and only load that cert into the account that runs your app pool, making sure your website is the only website in that app pool (IIS solution).

But yeah with a vendor supplied solution you can often be left with no other option.


Interesting ideas, thanks. I'd never come across anyone doing it like that before, but it does make sense.
Post #1060475
Posted Tuesday, February 8, 2011 12:06 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Yesterday @ 7:51 PM
Points: 17,948, Visits: 15,947
Thanks for the question



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Post #1060534
Posted Friday, February 11, 2011 9:42 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, November 18, 2014 2:15 AM
Points: 1,110, Visits: 4,907
Good question - we've been hit by this problem too and it can be a right pickle to sort out!
Post #1062681
Posted Friday, February 11, 2011 10:50 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Friday, November 21, 2014 12:28 PM
Points: 3,467, Visits: 1,828
Good question. I appreciate the update of information. I use sp_change_users_login fairly frequently. I'll miss the report option though.

Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Post #1062727
« Prev Topic | Next Topic »

Add to briefcase «««1234

Permissions Expand / Collapse