locked
Securing SQL Server 2005 with SSL RRS feed

  • Question

  • Hi,

    Our IT Security department has issued a new security guideline and we are obligated to secure all SQL Server traffic using either IPSec or through SSL. Due to it's complexity I would like to skip IPSec and go ahead with implementing SSL encryption.

    I have installed a stand-alone root CA in our test environment and have issued and installed a certificate for our database server. In SQL Server 2005 Network Configuration I have enabled the option 'Force Encryption' and selected the correct certificate on the second tab. All servers/clients have the issueing CA's certificate installed.

    As far as I can tell this should be enough to ensure all data is encrypted, right?? Or do I have to make certain changes on the client side?? For example: we have an application running on server X. The application uses a SQL database on server Y. Do I have to make changes to server X or is data always encrypted due to the 'Force Encryption = yes" server setting???

    Hope someone can clear this up for me. I'm in way over my head with this whole encryption stuff :-)

    Thanks!

    Jeffrey
    Thursday, October 2, 2008 1:14 PM

Answers

  • Hi Jeffrey,

      The "Force Encryption = yes" setting on the server side will be sufficient to make clients connecting to that server use SSL.  We do recommend also that you force encryption on the client side via the analogous registry keys on all the client machines, but in many cases that is not feasible just due to the high number of clients people have; if that is not feasible, you will be fine with the server Force Encryption setting.

    Friday, October 3, 2008 6:34 PM

All replies

  • Hi Jeffrey,

      The "Force Encryption = yes" setting on the server side will be sufficient to make clients connecting to that server use SSL.  We do recommend also that you force encryption on the client side via the analogous registry keys on all the client machines, but in many cases that is not feasible just due to the high number of clients people have; if that is not feasible, you will be fine with the server Force Encryption setting.

    Friday, October 3, 2008 6:34 PM
  • Hello,

    I am in the same situation as Jeffrey and would be thankful for any guidance. Although I have enabled the Force Encryption setting on the server, I am not sure if I need to change configuration on client machines. The part that is hard is that the applications that connect to this database are both Microsoft and Non Microsoft applications,

    1. Microsoft Sharepoint Server
    2. Microsoft Dynamics GP
    3. VMware vCenter - I think this uses ODBC to connect to the DB
    4. BlackBerry Enterprise Server - This may be using JDBC

    Could someone please advice if the client applications will work with an SSL enabled SQL server without any modifications or do I need to change something on the clients?

    Thanks!
    Praful.
    Tuesday, August 11, 2009 5:34 PM