Force Protocol Encryption
-
Hi All,
In Sql server client network utility, i saw one check box 'Force Protocol Encryption'.By default it is not selected.
which one is the best option?i.e selecting or not.
Regards
Karthik
karthik
-
This is an interesting topic in general and one I've seen cause much confusion. I'm not familiar with all protocols and the in's and out's of each of them but what I can tell you how this check box effects client's connecting using the TCP/IP protocol. So remember this discussion relates only to TCP/IP.
If you check this box on the client utility screen, it will attempt to negotiate encryption of the communications stream between your PC and the server. That is to say, if the database server you are connecting to is setup to encrypt the communications stream, the stream will be encrypted. Is the server component of SQL Server setup for stream encryption out of the box? To my limited knowledge, no. Based on my limited testing SQL Server encrypts the communications stream via SSL so for your server to be able to encrypt the communications stream there must be an SSL certificate installed on the server. It's a good thing to note that all versions of Windows since the later versions of Windows 95 have API's which support encryption, think about it this way, since the last versions of Windows 95 Internet Explorer has been able to connect via SSL to secure web sites. It was only logical for Microsoft to build the encryption API's right into the OS instead of into the browser but enough about that.
What I do know and have personally tested and verified though packet sniffing is that if you install an SSL certificate on a PC running SQL Server and either check the Force Protocol Encryption check box or ask ADO to open an encrypted connection, ie:
objConnection.ConnectionString = "Provider=SQLOLEDB.1;Persist Security Info=False;Data Source=myServer;User ID=sa;Password=;Use Encryption for Data=True"
SQL Server and your client will encrypt the communications stream. It's actually a very simple procedure and took our Jr. DBA and one of our system administrators only about 4 hours to setup and test.
However, to give you a straight forward answer to your question, I wouldn't expect SQL Server and your client to encrypt the communications stream simply because you check the Force Protocol Encryption check box on the client or the server. I've read some confusing information which leads me to believe that encryption is available when using the Mutliprotocol protocol with SQL Server without an SSL certificate but since I haven't tested that first hand I'm not at all sure that to be the case.
-
You need to select this option only when encryption option is selected in your server so that data flow between the client and server will be encrypted.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com -
You can enable the Force Protocol Encryption option on the server, or on the client. Enable Force Protocol Encryption on the server by using the Server Network Utility. If you enable Force Protocol Encryption on the server, you must install a certificate on the server.
You can use Client Network Utility and enable Force Protocol Encryption on the client, you must have a certificate on the server and the client must have the Trusted Root Authority updated to trust the server certificate.
Minaz
"More Green More Oxygen !! Plant a tree today"
-
SQL Server 2000 supports the Force Protocol Encryption option to control the Net-Library encryption. When the Force Protocol Encryption is on, SQL Server uses Secure Sockets Layer (SSL) to encrypt all communication between the client and SQL Server. A certificate is required because SSL encryption works only with instances of SQL Server 2000 that are running on a computer that has a certificate assigned from a public certification authority.
Please see BOL " SSL, data encryption " page.
Minaz
"More Green More Oxygen !! Plant a tree today"
-
My two cents; encrypting the wire should be a network guy thing, not a SQL guy thing. IPSEC or firewall client of your choice are better and broader solutions.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply