locked
ssl in sql server 2005 and asp.net RRS feed

  • Question

  • I want to develop a asp.net web application that connects to the sql server and retrive data frome the server. I want this website to be secured. I come to know what Sql server 2006 has capability of encrypting data (i.e using SSL). Does that means I do not have to use SSL on my web server? Pleas pardon me if I am asking stupid question! ..I am kind of  new to asp.net! All I want to do is develop a secured asp.net application and store data in an encrypted format in sql server 2005.

    Please help! Thanks in advance

     

    Wednesday, May 3, 2006 6:42 PM

Answers

  • Your typical end-to-end connections will look like this:

    client (IE) ---> ASP.NET (web server) ---> SQL Server 2005. 

    For best security you want to secure both the client->ASP.NET and ASP.NET->SQL Server 2005 connections through SSL.  Hence, you still want to keep using SSL on your web server. 

    I'll limit my answer here to the ASP.NET->SQL Server 2005 since that's the subject of this Forum (if you have additional questions regarding the former, please, post at an ASP.NET Forum):

    - You obtain the highest level of security for the ASP.NET-> SQL Server 2005 connection by installing a SSL certificate on the SQL Server 2005 machine, configuring the machine running ASP.NET to trust its root authority, and configure your SqlClient connection to use encryption.  This will provide both encryption and validation of the SQL Server during the connection establishment. 

    - SQL Server 2005 provides a "self-signed" SSL certificate, which can be used to encrypt all traffic between ASP.NET and SQL Server 2005 but it does not allow ASP.NET to validate that it actually talks to the correct peer (hence, it is prone to "man-in-the-middle" attacks). 

    There is a good blog on the topic of SSL encryption in SQL Server 2005 at https://blogs.msdn.com/sql_protocols/archive/2005/10/04/476705.aspx with two useful pointers, one of them pointing to a KB at http://support.microsoft.com/default.aspx?scid=kb;en-us;318605

     

    Wednesday, May 3, 2006 8:36 PM

All replies

  • Your typical end-to-end connections will look like this:

    client (IE) ---> ASP.NET (web server) ---> SQL Server 2005. 

    For best security you want to secure both the client->ASP.NET and ASP.NET->SQL Server 2005 connections through SSL.  Hence, you still want to keep using SSL on your web server. 

    I'll limit my answer here to the ASP.NET->SQL Server 2005 since that's the subject of this Forum (if you have additional questions regarding the former, please, post at an ASP.NET Forum):

    - You obtain the highest level of security for the ASP.NET-> SQL Server 2005 connection by installing a SSL certificate on the SQL Server 2005 machine, configuring the machine running ASP.NET to trust its root authority, and configure your SqlClient connection to use encryption.  This will provide both encryption and validation of the SQL Server during the connection establishment. 

    - SQL Server 2005 provides a "self-signed" SSL certificate, which can be used to encrypt all traffic between ASP.NET and SQL Server 2005 but it does not allow ASP.NET to validate that it actually talks to the correct peer (hence, it is prone to "man-in-the-middle" attacks). 

    There is a good blog on the topic of SSL encryption in SQL Server 2005 at https://blogs.msdn.com/sql_protocols/archive/2005/10/04/476705.aspx with two useful pointers, one of them pointing to a KB at http://support.microsoft.com/default.aspx?scid=kb;en-us;318605

     

    Wednesday, May 3, 2006 8:36 PM
  • Thanks a lot peter. Your reply was very helpful
    Thursday, May 4, 2006 4:15 PM