I recently enabled the encrypted connection to one of my SQL Server instances. I have software that DSN ODBC must connect to this instance.
The database is on a W10 PC while the client is a W11 PC.
I would like the data that the client sends to the server and the server sent to the client to be encrypted. Following the official Microsoft guide (I leave the link below) I managed to configure the connection but I saw that if I create a new ODBC connection without activating the "use strong encryption for data" flag I can still read and write data to the Database. In my opinion it makes no sense, then anyone could connect to the database, even without having the certificate.
How can I prevent / block connection to the database from a PC that does not have the certificate installed?
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver16
Data will be encrypted using the server's certificate regardless of the client ODBC DSN setting "Use strong encryption for data" when you set force encryption on the database server. Below is the excerpt from the ODBC driver documentation.
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| Encrypt Setting | Trust Server Certificate | Server Force Encryption | Result |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| No | No | No | Server certificate isn't checked. Data sent between client and server isn't encrypted. |
| No | Yes | No | Server certificate isn't checked. Data sent between client and server isn't encrypted. |
| Yes | No | No | Server certificate is checked. Data sent between client and server is encrypted. |
| Yes | Yes | No | Server certificate isn't checked. Data sent between client and server is encrypted. |
| No | No | Yes | Server certificate is checked. Data sent between client and server is encrypted. |
| No | Yes | Yes | Server certificate isn't checked. Data sent between client and server is encrypted. |
| Yes | No | Yes | Server certificate is checked. Data sent between client and server is encrypted. |
| Yes | Yes | Yes | Server certificate isn't checked. Data sent between client and server is encrypted. |
| Strict | - | - | TrustServerCertificate is ignored. Server certificate is checked. Data sent between client and server is encrypted. |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
In my opinion it makes no sense, then anyone could connect to the
database, even without having the certificate.
You may be confusing authentication with encryption. The encryption key exchange occurs during the initial database connection and is not related to authentication. Use Windows authentication for additional security since that ultimately uses certificates to verify user identity.
Related
I want to monitor the data in a Microsoft SQL Server database using Zabbix by ODBC and without agent. I have installed ODBC on Zabbix appliance (VMware).
When I enter command isql test, I get error:
Could not SQL connect.
Also in Zabbix front dashboard there is a problem: SQL Server could not fetch info data. The settings of my odbc.ini and odbcinst.ini files are as below:
odbc.ini:
[mssql]
Description: mssql database connected to zabbix
Driver= ODBC Driver 17 for SQL Server
Server= the ip of database server
User= my username in database server
Password= my password in database server
Port= 1433
Database= database name
odbcinst.ini:
[ODBC Driver 17 for SQL Server]
Description= Microsoft ODBC Driver 17 for SQL Server
Driver = /opt/microsoft/msodbcsql17/lib64/libmsodbcsql-17.7.so.2.1
You should use verbose mode :
-v Turn on the verbose mode, where the errors are fully described. Useful for debugging.
And specify the DSN you want to connect to:
isql –v your_DSN
This should be enough to pinpoint the cause of the connection error.
I had the same problem.
[ZPRX-UAT ~]$ isql mssqltest -v
[28000][unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user ''.
[ISQL]ERROR: Could not SQLConnect
In my case it helped to remove the user and password in the /etc/odbc.ini file.
Then, using the isql command with the -v parameter and a user with a password. The isql command ended correctly in my case.
[ZPRX-UAT ~]$ isql -v mssqltest Test Test123
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL>
First of all this does not contain my answer.
I want to find which firewall rule allows specific port 1433
In my server, Plesk has been installed and "MS SQL over TCP protocol" firewall rule is disabled. Somehow I can connect to the SQL Server from remote connection. There is one firewall rule allows 1433 TCP Connection but which one? Is there any command to find which firewall rule allows 1433.
Source
Run as administrator
cls
Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -Eq "1433" } | Get-NetFirewallRule |
Format-Table -Autosize -Property DisplayName,
#{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
#{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
#{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
#{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled, Profile, Direction, Action
Easiest way to figure this out is through netevents.
Start command line as administrator.
Run netsh wfp cap start keywords=19
Let the traffic flow through port 1433
Run netsh wfp cap stop
Open Wfpdiag.xml in Wfpdaig.cab generated by above step.
Search for all NetEvents with <localPort>1433</localPort> and get filterId from <classifyAllow>
Search for the filterId and the <displayData> should tell you which rule allowed the packet.
I am completely new to Amazon Web Services and I am trying to implement a Virtual Private Cloud with public and private subnets. A private subnet will host my database servers and public subnet will contain my application's web servers. I followed Amazon's own step-by-step tutorial to achieve this:
Scenario 2: VPC with Public and Private Subnets
I have configured all the VPC security groups as described in the tutorial and I successfully managed to get my web servers talking to my database servers. I also want to remotely connect to the database from MSSQL Management Studio on my local machine so I can create/drop schemas and generally see what's inside the database. However, I cannot connect to the database servers at all.
Part of the problem is that I am not sure exactly what I am meant to be connecting to. Prior to doing this tutorial I created a simple database and used its endpoint as the URL and I could remotely connect to it from my local machine. Now, since the database servers are on a private subnet and can only communicate with the outside world via a NAT instance, does this mean that I should use NAT's elastic IP as a database URL and add extra rules to NAT's security groups? My knowledge of networking is somewhat lacking so I am not too sure and the tutorial doesn't help here either.
My security groups contain the following entries:
NAT instance security group inbound:
Port | Source
22 | my external ip
80 | 10.0.1.0/24 (private subnet)
443 | 10.0.1.0/24 (private subnet)
1433 | my external ip
NAT instance security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
1433 | 0.0.0.0/0
Database security group inbound:
Port | Source
1433 | sg-d6ec33b9 (web servers security group)
Database security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
Webservers security group inbound:
Port | Source
22 | 0.0.0.0/0
80 | 0.0.0.0/0
443 | 0.0.0.0/0
8080 | 0.0.0.0/0
Webservers security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
1433 | sg-b5ec33da (database security group id)
Main routing table is associated with a private subnet (10.0.1.0/24) and has following routes:
Destination | Target
10.0.0.0/16 | local
0.0.0.0/0 | i-cf8605ad (NAT instance id)
Custom route table is associated with a public subnet (10.0.0.0/24) and has following routes:
Destination | Target
10.0.0.0/16 | local
0.0.0.0/0 | igw-a4ed3aca (internet gateway id)
So given this setup, what would I need to do to gain an external access to the database servers that are on private subnet an are protected by a NAT instance? Do I need to add/alter the rules in the security groups?
Thanks in advance.
Your problem is a little bigger than security group changes. The main problem is that your private vpc is private as in 'not internet accessible'.
You have several options to connect from outside:
Use a bastion machine as an intermediate hop (on the public net) and add relevant SG rules to hop form that machine into your precious DB. Your users will need to connect to that machine and then either run client tools on that machine to connect to the DB or setup a SSH tunnel to your DB (so your office machine could connect). This is not a great solution in term of users experience and in term of security (the bastion become a very big security risk) but it is simple to setup. (Note: since you are MS dude then please switch SSH for RDP [and cancel the tunneling thing])
Setup a VPN - bring a big gun to shoot a fly. Setup a VPN (either use AWS VPN termination, or setup an OpenVPN or similar stuff). Define the routing, SG rules, Keys clients and update here if you managed to configure this within a reasonable effort. I would not go for a full site-to-site VPN (to your office network) since you do not want every malware running in your office to reach your 'private' data center.
Create a little passthrough to your DB instance from your office. Ingredients:
A custom route from your office IP to the private network, Proper SG rule to allow office IP to DB SG, Elastic IP to make the instance internet reachable.
You could improve solutions 1,3 security by utilizing Dome9's Access Leases. This will allow you to restrict access to the bastion/passthrough and to enable them on demand for authorized users (disclaimer - I'm a proud Dome9'er)
Enjoy
I am not able to connect to a remote SQL Server.
I have done the following:
Enable TCP/IP protocol
turned Off the firewall
Start SQL Server Browser service.
But I'm still not able to connect to the server
Server Name:--ip\SQLSERVER
User--UserName
Pwd--PWd
I would do the following checks.
Enable TCP/IP protocol
Turn off the firewall on the server (don't know whether you turned off your client firewall or server firewall here)
Remote server is up and running
Remote server SQL server services are started and running
a) SQL Server agent
b) SQL Server (SQLSERVER)
Client machine is able to ping remote server (This is not mandatory. If ping is not working still it is possible to access server. If ping is working then one less thing to worry)
Finally post your error message if you get any, that will help us understand more clearly what could be wrong.
If you haven't already, try the following:
In Management Studio, right-click your server, and click Properties
Go to the Connections page and make sure Allow remote connections to this server is checked
Click on the Security page and, under Server authentication make sure that SQL Server and Windows Authentication mode is selected.
Also, make sure that both the server and client are using the same IP version (IPv4 or IPv6)
Did you check if your user has the right to connect to the server?
Look at the output of:
select host, user from mysql.user;
it should look like this:
+--------------+------------------+
| host | user |
+--------------+------------------+
| % | MyUserName |
| 12.12.12.123 | MyUserName |
| localhost | debian-sys-maint |
| localhost | mysql.session |
| localhost | mysql.sys |
| localhost | root |
+--------------+------------------+
Let's look at the first 2 rows, the "%" under host means that you can connect from any IP.
The second row specifies the host (Just pick one of those options).
Hopefully, that helped.
website needs to go live which i have placed on client server.i have gven all permissions for IIS.in web.config file i have also given SQL connection string as :
<appSettings>
<add key="ConnectionString" value="Data Source=USER\SQLEXPRESS;Initial Catalog=people_metrix;User ID=MyUser;Password=abc123"/> </appSettings>
In sql server 2005 have allowed remote connections(TCP/IP and named pipes).
but am not able to login to webasite.Username and password exist in database.
In server,firewall is on and there is no IP address(Obtains IP adress automatically).Is Login not happening due to these reasons ?
Please don't EVER use 'sa' in a connection string. EVER!
First try connecting using SQL Server Management studio with your connection string credentials (and not sa!).
Does the firewall on SQl sServer machine allow traffic on port 1433?
To allow connections to SQL Server by TCP port, perform the following steps.
Click Start | Control Panel | Network Connections
Right click on the network adapter that services inbound connections to SQL Server and select Properties
Select Advanced | Windows Firewall | Settings
Select Exceptions | Add Port
Under Name put "SQL Server" and under Port Number select 1433. Use TCP as the protocol.
Click OK to close out all dialogs.
If you're using anything other than standard TCP/IP to access SQL Server, you'll need to enable different ports. To allow RPC over Named Pipes instead of TCP, open port 445 in the same way that I described above.
See this MS support article for configuring remote connections: How to configure SQL Server 2005 to allow remote connections
You might check out connectionstrings.com
It has several connection string examples.