Post reply

Force encryption

  • February 16, 2010 at 8:52 am

    #145287

    I've been pouring thru the various posts here but still do not understand this very basic concept: what is the difference between "Force Encryption" at the server level (SQL Server Configuration Manager -> Protocols for MSSQLSERVER -> Properties) and "Force Protocol Encryption" at the client level (SQL Server Configuration Manager -> SQL Native Client Configuration -> Properties)?

    I know, from reading BOL, that both cannot be on at the same time. I've also seen, thru my various tests, that if I force it at the server, both the SQL Server ODBC and SQL Server Native Client ODBC connections work.

    If it's as simple as making the clients do the encryption, wouldn't someone be able to turn that off at the client machine then see all the traffic? The web server (client machine, in this case) could be compromised, the setting unset, then all traffic sent thru the app would be visible. Seems like a problem.

    I realize I can force encryption at the server level and all is well, just would like to understand why the client option is available.

    TIA.

    ----------------------------------------------------------------------------
    Sacramento SQL Server users group - http://sac.sqlpass.org
    Follow me on Twitter - @SQLDCH
    ----------------------------------------------------------------------------

    Yeah, well...The Dude abides.

  • February 16, 2010 at 9:23 am

    #1119335

    I believe the client option exists in SQL Server's encryption and IPSec both for the same reason.

    A Server which has multiple resources (in this case DB's) where some resources require encryption and others do not.

    IPSec has more features to help with the above scenario and is integrated into Active Directory.

    If you're considering only wire encryption it's simpler to use IPSec than SQL Server, IMO.

    Just my $.02

    Good Luck

    Craig Outcalt


    Tips for new DBAs: http://www.sqlservercentral.com/articles/Career/64632
    My other articles: http://www.sqlservercentral.com/Authors/Articles/Craig_Outcalt/560258

  • February 16, 2010 at 9:45 am

    #1119349

    oh yeah and

    "Mark it zero, Dude."

    😎

    Craig Outcalt


    Tips for new DBAs: http://www.sqlservercentral.com/articles/Career/64632
    My other articles: http://www.sqlservercentral.com/Authors/Articles/Craig_Outcalt/560258

  • February 16, 2010 at 10:06 am

    #1119360

    oh yeah and

    "Mark it zero, Dude."

    Craig Outcalt

    SQLBot, you're my new favorite person

    🙂

    ----------------------------------------------------------------------------
    Sacramento SQL Server users group - http://sac.sqlpass.org
    Follow me on Twitter - @SQLDCH
    ----------------------------------------------------------------------------

    Yeah, well...The Dude abides.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply