SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Connection Problems


Connection Problems

Author
Message
UMG Developer
UMG Developer
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2754 Visits: 2204
Thanks for the question, it is good to bring up the deprecation of features, and show the alternative.
SanDroid
SanDroid
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1604 Visits: 1046
RichB (2/7/2011)
What with them being inherently, disgracefully insecure.

Are you talking about the fact that they have to be stored in plain text in connection strings that are at the Least a read only file for all users?
Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<

Ok, you are talking about the same limitation all network applications that use login packets to support application user logins stored in the application. SNMP, POP, SQL, FTP, NNTP, etc...

IMHO: If your network security is so lax that just anyone can install and use a packet sniffer to get this data, there is not an application security issue. w00t
sknox
sknox
SSCrazy
SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)

Group: General Forum Members
Points: 2679 Visits: 2833
SanDroid (2/7/2011)
RichB (2/7/2011)
What with them being inherently, disgracefully insecure.

Are you talking about the fact that they have to be stored in plain text in connection strings that are at the Least a read only file for all users?
Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<

Ok, you are talking about the same limitation all network applications that use login packets to support application user logins stored in the application. SNMP, POP, SQL, FTP, NNTP, etc...

IMHO: If your network security is so lax that just anyone can install and use a packet sniffer to get this data, there is not an application security issue. w00t


Yes there is. Just because you also have a network security issue doesn't mean that the application security issue can be ignored. That's why when possible you use secure versions of those protocols (usually the same protocol encrypted via SSH or SSL). Or you use alternative authentication mechanisms like Windows-based authentication with Kerberos as opposed to SQL user logins.

Yes, we use some SQL logins here, but only when the application requires it and only after evaluating other options and mitigation opportunities. It is a serious security issue, and hiding it under network security issues does nobody any good.
UMG Developer
UMG Developer
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2754 Visits: 2204
RichB (2/7/2011)
For anyone that hasn't I strongly recommend using your favourite packet sniffer (wireshark for instance) to trace the local network while you log in with a sql login. Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<


Is that true even if you are using encrypted connections?
Duncan Pryde
Duncan Pryde
Hall of Fame
Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)

Group: General Forum Members
Points: 3620 Visits: 1552
RichB (2/7/2011)
Ah, not the missing option of 'wtf are you using sql logins in production for anyway?'

What with them being inherently, disgracefully insecure.

For anyone that hasn't I strongly recommend using your favourite packet sniffer (wireshark for instance) to trace the local network while you log in with a sql login. Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<



So what do you use when you've got an application on a standalone (non-domain) web server connecting to a DB server behind a firewall? Mirrored local accounts? I keep looking for decent ways to avoid using SQL logins in this scenario, but nothing I come up with seems to work as well or be as easy to maintain.
marklegosz
marklegosz
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1182 Visits: 1180
Regarding SQL logins, I think the point here is to use them as a last resort when no other options are available.

In a web server/db server example, you could only allow the web server to communicate with a 'data broker' https web service, and then use windows authentication to permit that broker to connect to the SQL database. You could then use a client cert to secure the data broker web service, and only load that cert into the account that runs your app pool, making sure your website is the only website in that app pool (IIS solution).

But yeah with a vendor supplied solution you can often be left with no other option.
Duncan Pryde
Duncan Pryde
Hall of Fame
Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)Hall of Fame (3.6K reputation)

Group: General Forum Members
Points: 3620 Visits: 1552
marklegosz (2/8/2011)
Regarding SQL logins, I think the point here is to use them as a last resort when no other options are available.

In a web server/db server example, you could only allow the web server to communicate with a 'data broker' https web service, and then use windows authentication to permit that broker to connect to the SQL database. You could then use a client cert to secure the data broker web service, and only load that cert into the account that runs your app pool, making sure your website is the only website in that app pool (IIS solution).

But yeah with a vendor supplied solution you can often be left with no other option.


Interesting ideas, thanks. I'd never come across anyone doing it like that before, but it does make sense.
SQLRNNR
SQLRNNR
SSC-Dedicated
SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)

Group: General Forum Members
Points: 33716 Visits: 18560
Thanks for the question



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

jts2013
jts2013
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1292 Visits: 5009
Good question - we've been hit by this problem too and it can be a right pickle to sort out!
Kenneth.Fisher
Kenneth.Fisher
SSCarpal Tunnel
SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)

Group: General Forum Members
Points: 4370 Visits: 2033
Good question. I appreciate the update of information. I use sp_change_users_login fairly frequently. I'll miss the report option though.

Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search