January 12, 2005 at 3:06 am
Hi All,
I have a web site written in ASP and running on IIS4 on a NT4 box which is hosted externally, which connects to a clustered SQL server 2000 installation running on Windows Server 2003 hosted in house.
This all works fine and there is a degree of security in that the SQL server is well locked down and the web application connects using a special user account with only enough rights to do what it needs to do (SELECTS and UPDATES on particular tables in general). Our firewall is also configured so that the database can only be accessed from the IP address of our external web server. The connection uses the TCP/IP network library.
As extra security I would like to encrypt the data flow between web server and SQL server. I have investigated this but I am struggling to find the relevent information.
Am I right in thinking that there are 2 options: 1) SSL, 2) IPSec ?
I would like to use SSL as it seems the most elegant solution, especially as there is an internal Windows application in use by several hundred users which uses the same database and if I am correct I would be able to keep these using a non-encrypted connection which would help with performance and the fact that these applications would not need reconfiguring?
My question is if I use SSL can I use a certificate provided by our internal certifcate server (rather than buying one)? The main reason I am not sure if this would work is that the web server would not be able to communicate with our certificate server with out some major infrastructure work, would the web server need to see the certificate server in order for this to work?
If it can not, would using IPSec be a good alternative? Does that provide what I want? Does anyone know of any good resources for this type of information? (I've tried MSDN)
Thank you in advance for any help/advice
Rob
January 12, 2005 at 1:32 pm
Try these webcasts (there are about SSL and SQL), may be they will be usefull:
http://www.database-security.info/Content/SQLServerWebcasts.asp
January 12, 2005 at 2:50 pm
Yes, you can use a certificate provided by your internal certificate server. However, both SQL Server and the clients will have to trust the root CA. Of course, this should go without saying. Yes, IPSec, especially when combined with AD, can be used for secure communications.
The simplest solution for most folks is going to be the SSL solution. We actually have such a solution in place in one of our configs, but we are using a VeriSign issued certificate.
K. Brian Kelley
@kbriankelley
February 7, 2007 at 1:57 pm
I am having a problem locating any certificates on my SQL server. In sql config mgr / protocols / cert tab I do not see any certificates... Where do these certs come from? How can I make SQL reissue its default cert?
February 7, 2007 at 2:52 pm
From the help:
Certificates are stored locally for the users on the computer. To load a certificate for use by SQL Server, you must be running SQL Server Configuration Manager under the same user account as the SQL Server service.
Are you logged in as the service account or did you do a Run As to start Configuration Manager ?
K. Brian Kelley
@kbriankelley
February 7, 2007 at 7:54 pm
I did do a runas and changed the server to LocalSystem. No avail. I found a post ( I have the link at work) that explains that the service user (User Group) does not have permission to the private key stores. There is a .cpp on ms.com that fixes this for NetworkSecurity user , which I'm sure can be applied to my user as well.
Also I am seeing in the SQL logs that the server is loading it's own self-signed certificate at boot. I have found a property of the SQL connection string that enables the client to trust the server certificate. I will write a small windows forms app to test this out. How do I get the client to trust this self-signed, generic certificate through the SQL Studio though?
February 8, 2007 at 7:32 am
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply