Chapter 1 Securing Your Server and Network (10): Use extended protection to avoid authorizing relay attacks

Source: Internet
Author: User

Original: Chapter 1 securing Your Server and Network (10): Use extended protection to avoid authorizing relay attacks

Source:, Special catalogue: article/details/37906349

No person shall, without the consent of the author, be published in the form of "original" or used for commercial purposes, and I am not responsible for any legal liability.

Previous article:


During the client and server visits, the authorization is maintained, and the connection can be accepted or denied through authentication. Because the authentication contains the address, password and other information, if the attacker intercepts this information, there will be an authorization relay attack (authentication relay attack), there are two ways to achieve this kind of attack, the first is called: Luring attack (luring attack) , the client is lured to the server set by the attacker. The second is called fraud attacks (spoofing attack), also known as man-in-the-middle attacks, where attackers intercept information between clients and SQL Server through DNS redirection, IP routing, and other technologies.

In 2009, Microsoft released its security report (Advisory 973811), which provided two mechanisms: service binding and channel binding. Service-binding requires the client to provide the signed SPN into the authorization information. If an attacker attempts to use a certificate obtained from linked information or does not provide a signed SPN, it will not be able to connect to SQL Server, which has little performance impact.

Channel binding provides a higher level of security, but has some performance impact. By using the Secure Transport Layer Protocol (Transport Layer Security (TLS)), inherited from SSL, you can ensure that the client is authorized to use channel Binding Token (CBT) and encrypt it.


1. Open the SQL Server Configuration Manager, in the SQL Server Network Configuration node, right-click the protocol for the instance, open the Properties window and select the Advanced tab:

2, if the client supports "Extended Protection", select: "Must", otherwise, select "Allow":

3. If the SQL Server service belongs to some SPNs, add the name to the accepted NTLM SPN, separated by semicolons:

4, if you want to enable channel Binding Protection, and force all connection encryption, you can go to the "Flag" tab, "Force Encryption" is set to "yes", if the encryption does not require coercion, only the service Binding will be turned on.


When extended protection is enabled in SQL Server Configuration Manager, you can choose to enable clients that support this feature, or you can force all connections to use, and Win 7 and Windows Server R2 have built-in extended protection to enable other clients. Need to install a patch:


More detailed information can be accessed: and 12/08/extended-protection-for-authentication.aspx

Filed under:

Chapter 1 Securing Your Server and Network (10): Use extended protection to avoid authorizing relay attacks

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.