Security 1: Configure SSL connections between SQL server and client

Http://www.edong.org/main/content/view/259/42/ Written by: Administrator

2004-05-18

Ms SQL server password plaintext transmission is a security defect. I will not describe the specifics. If you are interested, please refer to this article: in-depth exploration of SQL2000 network connection security issues So I can only talk about how I implement SQL Server 2000 SSL. Because there are a lot of materials, I only need to take one rough step. In addition, I listed all the materials I used and the problems I encountered. For more information, see How to enable the SQL Server 2000 SSL connection By default, SQL Server is in plain text for client connection and may be listened to by other malicious attackers in the network using sniffer software. Therefore, when high security is required, you can consider using SSL connections between the client and the server to improve security. When SQL2000 is configured to use SSL, the Certificate Server must exist in the network. Configuration steps: 1. Choose "add and delete programs"> "add and set up"> "Certificate Service" 2. Follow the Certificate Service prompts to install the enterprise Root CA or independent Root CA. I chose an independent Root CA. 3. After installation, check that the "Certificate Authority" plug-in appears in the management tool. The following operations request a certificate for SQL Server: 1. if you select an independent Root CA, open the IE browser. Enter http: // servername/certsrv in the address bar to submit a certificate application to your certificate server. 2. On the Application page, select "request Certificate"> "Advanced request"> "submit a request using the form". Next Step 3. Enter the certificate name in the certificate content. Note that you must select the FQDN name of the server. Otherwise, an error may occur. Select "Server Authentication Certificate" for the applied certificate, and select "use local computer storage" to submit the request. 4. Authorize this application in CA, select View submitted application option in IE, and install the certificate Check whether the certificate is correctly installed: 1. In the IE-property-content-certificate option, check whether the issued certificate exists and its function is "Server Authentication" 2. Open the MMC console and add the certificate plug-in (including the computer account ). Confirm that the issued certificate exists. Operations on the SQL Server: 1. In SQL's "SQL SERVER network utility", select "Force protocol encryption" 2. Restart MSSQLServer service. OK 3. In "client utility", select "Force protocol encryption" Test: You can use query analyzer to connect to ODBC application, and then use network monitoring software to capture packets and check whether SSL is enabled. Common Errors: 1. When installing the certificate service, set the name of the Certificate Service to the same name as the host name. This will cause the SQL Server to fail during initialization, this problem can be seen KB: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 302409 & Product = sql2k 2. When applying for a certificate, the certificate name does not use the FQDN fully qualified domain name. This is one of the reasons for the SQL Server "SSL security error: connectionopen (secdoclienthandshake ()" error. Kb309398 elaborated this question: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 309398 & Product = sql2k 3. About can refer to the installation configuration article: How to: Enable SSL encryption for SQL Server 2000 with Certificate Server can see KB: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 276553 & Product = sql2k #2 (with ppt files available for download) Http://support.microsoft.com/default.aspx? SCID = KB; en-US; 324777 & Product = sql2k