Windows Authentication security question

[J]

Hello. Sorry if this is a novice or weird question but I was just wondering
if in general having a Windows integrated authentication to a SQL Server
database has more security than Windows basic authentication wrapped with
https/ssl? I know the data in communication over the network is more
secured with the basic authentication/ssl method but was wondering more on a
user name and password level since integrated sends a hash/token I believe
where as basic authentication wrapped with ssl is totally encrypted.

Thanks in advance.

J

 

[Roger Abell [MVP]]

J
Your question is not really wierd - you should read some of them <g>

There seem a couple misnomers in your post.

There is no "Windows basic authentication"
I will assume that you intended to indicate use of SQL internal accounts.

You also say communication over the network is more secured when
using basic authN within SSL. This is probably not true, especially if
less than SSL 3.0 Windows integrated uses a challenge response
sequence that makes use of knowledge of the password hash, but the
sequence itself cannot be used to get the hash and it is also resistant
to replay usage. It is probably more secure than the other even with the
best level of SSL/TLS (but the "more" is arguable, i.e. if neither could be
cracked then which is "more" secure?)

If your question is about what authN to allow a SQL Server to use, there
really is little choice except to allow both, at least for most general use
SQL services, since you will run on situations that cannot be dovetailed
into using a Windows integrated model (like Sharepoint websites!!), etc.

 

[J]

Guess I have a little more research to do.

Thanks for your reply Roger. I totally appreciate it.

Take care,

J