Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / July 2008

Tip: Looking for answers? Try searching our database.

For a SQL Account do Credebtials come to SQL in clear text?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jim Abel - 29 Aug 2007 23:32 GMT
Does a  SQL Server 2000 Account credebtials get passed from a aspx file to
the SQL Server in clear text?

My understanding is that the default port for SQL Server is 1433 and if a
sniffer were put in front of the SQL Server what form would the username and
password come to the server in?
The web page uses http port 80 so no SSL is involved.
Reply to this Message
Andrew J. Kelly - 29 Aug 2007 23:40 GMT
If you are using sql authentication then the answer is yes. That is one of
the many reasons to use Windows authentication.

Signature

Andrew J. Kelly    SQL MVP
Solid Quality Mentors

> Does a  SQL Server 2000 Account credebtials get passed from a aspx file to
> the SQL Server in clear text?
[quoted text clipped - 4 lines]
> password come to the server in?
> The web page uses http port 80 so no SSL is involved.
Reply to this Message
bass_player [SBS-MVP] - 30 Aug 2007 06:03 GMT
I'd use IPSec from your web app server to SQL Server or implement Data
Protection API.  If you are using ASP.NET 2.0, you can encrypt connection
strings in your web.config using the aspnet_regiis tool

> Does a  SQL Server 2000 Account credebtials get passed from a aspx file to
> the SQL Server in clear text?
[quoted text clipped - 4 lines]
> password come to the server in?
> The web page uses http port 80 so no SSL is involved.
Reply to this Message
John Grant - 23 Jul 2008 22:48 GMT
Is this true?  If i use standrad security can I see the user id and password.
Tryed to use netmon v3.1 and could not see the data in the IPv4 payload.

> I'd use IPSec from your web app server to SQL Server or implement Data
> Protection API.  If you are using ASP.NET 2.0, you can encrypt connection
[quoted text clipped - 8 lines]
> > password come to the server in?
> > The web page uses http port 80 so no SSL is involved.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.