Security: ADO.Net and SQL Server

[ThomasLl]

I have a client machine with a VB.net app and a SQL Server
database out on a leased server on the net.

Does this connection string get encrypted when connecting?

"Server=ntsql.somewhere.net;uid=username;pwd=pwd;database=M
yDB"

If not, what do I do to make this connection string not be
open for text viewing when sent over the net?

Thanks,
ThomasLL
..

 

[Dimitris D.]

I don't know if it will be encrypted bu why don't u use
SSPI trusted connection instead??

 

[William \(Bill\) Vaughn]

Not really, the connection information is passed over the wire to the server
unencrypted so it can be seen in a network packet. Yes SSPI is more secure.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
MVP, hRD
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

 

[ThomasLL]

So, how do you security the connection string using
ADO.Net and SQL Server? How is SSPI used with .Net
connections?

Thanks,
Thomas LeBlanc

 

[William \(Bill\) Vaughn]

When your code uses "Integrated Security=SSPI", the .NET Data Provider
passes your windows authentication credentials to SQL Server who, in turn
revalidated them and verifies that the domain name is registered as either a
valid Login for the selected default database, or a member of an NT domain
group that's been granted rights to the specified database. This way no
visible login credentials are passed over the wire.

hth

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
MVP, hRD
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

 

[ThomasLL]

We are not using Integrated Security, we will be use SQL
Server security.

The database server does not belong to the customer. It is
leased. We only have a SQL Server login and password, no
Domain name and password.

Thanks,
ThomasLL

 

[William \(Bill\) Vaughn]

Ah, you said in your reply:
"So, how do you security the connection string using
Do you still have a question?

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
MVP, hRD
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

 

[ThomasLL]

How do we secure the connection string if connecting from
SDO.Net to SQL Server if you have to use SQL Server
security?

We are not in the same Domain, thus we can not use
Integrated Security.

The SQL Server database server is leased from a third
party. 1 name and 1 password to SQL Server, no access to
their machine.

Thanks,
ThomasLL

 

[William \(Bill\) Vaughn]

Well, you can encrypt the connection string until it's needed, but a net
sniffer will be able to see the username and password pass over the wire.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
MVP, hRD
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________