Securing All Your Connections

  • Comments posted to this topic are about the item Securing All Your Connections

  • Some good thoughts on this. I know that my smaller companies definitely weren't going to shell out money to put certificates on their dev and test servers. At one company, they didn't even shell out money for actual servers for some time - we had a rack full of old desktops that were labeled "app server 1", "sql server", etc.  They did eventually get an actual set of blade servers for dev/test, but that was always amusing to open the door to that and be greeted by a set of old desktops.

    I haven't tried LetsEncrypt for SQL Server certificates. It seems like it should work and that, coupled with the dbatools modules for certificates could be quite useful for those dev/test instances where you can talk to the CA for LetsEncrypt. I know you'd need to be careful with those to make sure you refresh the certificates regularly to keep them from expiring. I've tried to use LE in the past for various purposes and seemed to always run into small issues for things outside of websites - Terminal Services, SQL, etc. It's probably worth trying again.

  • Yes, TLS enabled on the client by itself will encrypt the data and SQL commands sent between client and server. SQL Server at install time will automatically create a certificate for the purpose of encryption. Many don't know that enabling TLS encryption is as simple a specifying Encrypt=On in the connection string or connection dialog in SSMS, and there is no special configuration required on the server, so I can't think of a reason not to do this minimal step.

    But without a certificate issued by a certificate authority on the server and client, the server authentication step won't work. If the server doesn't have trusted CA certificate installed, then make sure to enable the 'Trust Server Certificate' property on client to skip server authentication.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Their point is clicking "trust server" without a CA cert means you are vulnerable to man in the middle attacks. You don't know if you're connecting to the correct server.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply