February 6, 2009 at 2:22 pm
Found this article about password being passed via (junk) encryption across the network. It looks like this was written prior to mssql2005. I'm curious is this is true for '05 and '08...?
Windows authentication is inherently more secure than SQL Server authentication (and therefore recommended by Microsoft). Windows credentials are delivered to SQL Server without passing the actual password, while SQL authentication sends the login name and password in unencrypted format, using a fairly simple obfuscation algorithm, involving conversion to Unicode, bit swapping, and a couple of XOR operations with a constant value (an algorithm reversing the obfuscation algorithm, which produces original password can be downloaded from http://www.sqlsecurity.com/Portals/57ad7180-c5e7-49f5-b282-c6475cdb7ee7/decrypt_ODBC_sql.txt). This means that anyone who can capture network traffic carrying client authentication information can easily retrieve it. If you are forced to resort to using SQL Authentication (when your clients are running legacy operating systems such as Windows 98 or Me, or are not part of the same or trusted domain), to protect passwords from being easily captured and exposed, you should always encrypt communication between SQL server and its clients with the built-in feature of Multiprotocol Net Library or by implementing SSL (for details, refer to the first article of this series).
February 7, 2009 at 7:59 am
This is prior to SQL Server 2005. With SQL Server 2005 the login packets are encrypted. If SQL Server doesn't have an issued certificate, it'll use a self-signed certificate.
And while it's true the encryption algorithm is extremely weak for SQL Server 2000 and below, it was still encrypted. You had to know what packet to look for and you had to know the algorithm and the characteristic location to look for the information. So while I could teach my eleven year-old how to find and decrypt the password with a scientific calculator, pencil and paper, the average IT person isn't going to be able to do it by default.
Also, if it was that big of a deal, you had two options with respect to this installation. With SQL Server 2000, you could issue an SSL certificate and configure the connection so that it was always encrypted. The other option would be to use encryption as part of the IPSEC policy (which first showed up natively in Windows 2000).
K. Brian Kelley
@kbriankelley
February 7, 2009 at 8:11 am
On the other hand, if someone has been granted access using windows authentication, it is not mandatory for that person to use the designated software to access the data.
Meaning: if that person has e.g. MSOffice installed on his laptop, he can access / modify the data using e.g. msexcell or msaccess !
So you still have to think no securing the actual server access.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply