I recently enabled the encrypted connection to one of my SQL Server instances. I have software that DSN ODBC must connect to this instance.
The database is on a W10 PC while the client is a W11 PC.
I would like the data that the client sends to the server and the server sent to the client to be encrypted. Following the official Microsoft guide (I leave the link below) I managed to configure the connection but I saw that if I create a new ODBC connection without activating the "use strong encryption for data" flag I can still read and write data to the Database. In my opinion it makes no sense, then anyone could connect to the database, even without having the certificate.
How can I prevent / block connection to the database from a PC that does not have the certificate installed?
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver16
Data will be encrypted using the server's certificate regardless of the client ODBC DSN setting "Use strong encryption for data" when you set force encryption on the database server. Below is the excerpt from the ODBC driver documentation.
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| Encrypt Setting | Trust Server Certificate | Server Force Encryption | Result |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| No | No | No | Server certificate isn't checked. Data sent between client and server isn't encrypted. |
| No | Yes | No | Server certificate isn't checked. Data sent between client and server isn't encrypted. |
| Yes | No | No | Server certificate is checked. Data sent between client and server is encrypted. |
| Yes | Yes | No | Server certificate isn't checked. Data sent between client and server is encrypted. |
| No | No | Yes | Server certificate is checked. Data sent between client and server is encrypted. |
| No | Yes | Yes | Server certificate isn't checked. Data sent between client and server is encrypted. |
| Yes | No | Yes | Server certificate is checked. Data sent between client and server is encrypted. |
| Yes | Yes | Yes | Server certificate isn't checked. Data sent between client and server is encrypted. |
| Strict | - | - | TrustServerCertificate is ignored. Server certificate is checked. Data sent between client and server is encrypted. |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
In my opinion it makes no sense, then anyone could connect to the
database, even without having the certificate.
You may be confusing authentication with encryption. The encryption key exchange occurs during the initial database connection and is not related to authentication. Use Windows authentication for additional security since that ultimately uses certificates to verify user identity.
I cannot connect to a named instance of SQL Server. I am trying to connect to domain\named_instance but this happens to all servers I try to connect to apart from localhost
The error that I cam getting looks like this:
So far I have tried:
Enabling remote connections in SQL Server
Enabling TCP/IP in the SQL Server Configuration Manager
Changing all the TCP ports in SQL Server Configuration Manager to 1433
I also tried running the command below where the number is the Process ID of the SQL Server Service:
netstat -ano | find /i “7608”
My result was as follows:
As suggested by this website.
However I do not get the ESTABLISHED return only the 2 LISTENING ones.
My IP2 IP address is set to: 192.168.2.176not 100% sure if this is right or not.
I cannot (due to security issues with my hosting company) get the IP of the server. Any and all suggestions are welcome!
I am in dire straits, and really need help!
I am using SQL Server 2008
Since you are stating you are trying to use named pipes (can be seen in the screenshots) I think you errornously trying to use TCP configuration to do this.
You need to need to enabled SQL to listen named pipes. How to do - see here.
There are multiple types of error "Cannot connect to 'Server Name'".
These error are differentiated on the basis of Error Additional Information.
One of the Solution for above error is
Connect the server using Windows Authentication.
Right Click on the Server(i.e. first option) in Object Explorer. Then go to Properties.
Go to Security then select Server Authentication as "SQL Server and Windows Authentication Mode"
Again Right Click on the Server(i.e. first option) in Object Explorer. Then select restart.
Then try again login using SQL Authentication
I am completely new to Amazon Web Services and I am trying to implement a Virtual Private Cloud with public and private subnets. A private subnet will host my database servers and public subnet will contain my application's web servers. I followed Amazon's own step-by-step tutorial to achieve this:
Scenario 2: VPC with Public and Private Subnets
I have configured all the VPC security groups as described in the tutorial and I successfully managed to get my web servers talking to my database servers. I also want to remotely connect to the database from MSSQL Management Studio on my local machine so I can create/drop schemas and generally see what's inside the database. However, I cannot connect to the database servers at all.
Part of the problem is that I am not sure exactly what I am meant to be connecting to. Prior to doing this tutorial I created a simple database and used its endpoint as the URL and I could remotely connect to it from my local machine. Now, since the database servers are on a private subnet and can only communicate with the outside world via a NAT instance, does this mean that I should use NAT's elastic IP as a database URL and add extra rules to NAT's security groups? My knowledge of networking is somewhat lacking so I am not too sure and the tutorial doesn't help here either.
My security groups contain the following entries:
NAT instance security group inbound:
Port | Source
22 | my external ip
80 | 10.0.1.0/24 (private subnet)
443 | 10.0.1.0/24 (private subnet)
1433 | my external ip
NAT instance security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
1433 | 0.0.0.0/0
Database security group inbound:
Port | Source
1433 | sg-d6ec33b9 (web servers security group)
Database security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
Webservers security group inbound:
Port | Source
22 | 0.0.0.0/0
80 | 0.0.0.0/0
443 | 0.0.0.0/0
8080 | 0.0.0.0/0
Webservers security group outbound:
Port | Destination
80 | 0.0.0.0/0
443 | 0.0.0.0/0
1433 | sg-b5ec33da (database security group id)
Main routing table is associated with a private subnet (10.0.1.0/24) and has following routes:
Destination | Target
10.0.0.0/16 | local
0.0.0.0/0 | i-cf8605ad (NAT instance id)
Custom route table is associated with a public subnet (10.0.0.0/24) and has following routes:
Destination | Target
10.0.0.0/16 | local
0.0.0.0/0 | igw-a4ed3aca (internet gateway id)
So given this setup, what would I need to do to gain an external access to the database servers that are on private subnet an are protected by a NAT instance? Do I need to add/alter the rules in the security groups?
Thanks in advance.
Your problem is a little bigger than security group changes. The main problem is that your private vpc is private as in 'not internet accessible'.
You have several options to connect from outside:
Use a bastion machine as an intermediate hop (on the public net) and add relevant SG rules to hop form that machine into your precious DB. Your users will need to connect to that machine and then either run client tools on that machine to connect to the DB or setup a SSH tunnel to your DB (so your office machine could connect). This is not a great solution in term of users experience and in term of security (the bastion become a very big security risk) but it is simple to setup. (Note: since you are MS dude then please switch SSH for RDP [and cancel the tunneling thing])
Setup a VPN - bring a big gun to shoot a fly. Setup a VPN (either use AWS VPN termination, or setup an OpenVPN or similar stuff). Define the routing, SG rules, Keys clients and update here if you managed to configure this within a reasonable effort. I would not go for a full site-to-site VPN (to your office network) since you do not want every malware running in your office to reach your 'private' data center.
Create a little passthrough to your DB instance from your office. Ingredients:
A custom route from your office IP to the private network, Proper SG rule to allow office IP to DB SG, Elastic IP to make the instance internet reachable.
You could improve solutions 1,3 security by utilizing Dome9's Access Leases. This will allow you to restrict access to the bastion/passthrough and to enable them on demand for authorized users (disclaimer - I'm a proud Dome9'er)
Enjoy
Yes I read this How to find the port for MS SQL Server 2008?
no luck.
telnet 1433
returns connection failed, so I must specify other port.
I tried to use
netstat -abn
but I don't see sqlservr.exe or something similar on this list.
Why it so difficult to find that port? :/
Try this:
USE master
GO
xp_readerrorlog 0, 1, N'Server is listening on'
GO
http://www.mssqltips.com/sqlservertip/2495/identify-sql-server-tcp-ip-port-being-used/
very simple.
make a note of the sqlsrvr.exe PID from taskmanager
then run this command:
netstat -ano | findstr *PID*
it will show TCP and UDP connections of your SQL server (including ports)
standard is 1433 for TCP and 1434 for UDP
example :
This is the one that works for me:
SELECT DISTINCT
local_tcp_port
FROM sys.dm_exec_connections
WHERE local_tcp_port IS NOT NULL
If you can start the Sql Server Configuration Manager > SQL Server Network Configuration > Your instance > TCP/IP > Properties
If you have run "netstat -a -b -n" (from an elevated command prompt) and you don't see "sqlservr.exe" at all then either your SQL Server service is not running or its TCP/IP network library is disabled.
Run SQL Server Configuration Manager (Start | All Programs | Microsoft SQL Server 2008 | Configuration Tools).
Navigate to SQL Server Services.
In the right-hand pane look for SQL Server (). Is it stopped? If so, start it.
Navigate to SQL Server Network Configuration (or SQL Server Network Configuration (32-bit) as appropriate) then Protocols for .
In the right-hand pane look for "TCP/IP". Is it disabled? If so, enable it, then restart the SQL Server service.
Note that he Instance ID will be MSSQLSERVER for the default instance.
Please also note that you don't have to enable the TCP/IP network library to connect a client to the service. Clients can also connect through the Shared Memory network library (if the client is on the same machine) or the Named Pipes network library.
Maybe it's not using TCP/IP
Have a look at the SQL Server Configuration Manager to see what protocols it's using.
try once:-
USE master
DECLARE #portNumber NVARCHAR(10)
EXEC xp_instance_regread
#rootkey = 'HKEY_LOCAL_MACHINE',
#key =
'Software\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IpAll',
#value_name = 'TcpDynamicPorts',
#value = #portNumber OUTPUT
SELECT [Port Number] = #portNumber
GO
This is another script that I use:
-- Find Database Port script by Jim Pierce 09/05/2018
USE [master]
GO
DECLARE #DynamicportNo NVARCHAR(10);
DECLARE #StaticportNo NVARCHAR(10);
DECLARE #ConnectionportNo INT;
-- Look at the port for the current connection
SELECT #ConnectionportNo = [local_tcp_port]
FROM sys.dm_exec_connections
WHERE session_id = ##spid;
-- Look for the port being used in the server's registry
EXEC xp_instance_regread #rootkey = 'HKEY_LOCAL_MACHINE'
,#key =
'Software\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IpAll'
,#value_name = 'TcpDynamicPorts'
,#value = #DynamicportNo OUTPUT
EXEC xp_instance_regread #rootkey = 'HKEY_LOCAL_MACHINE'
,#key =
'Software\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IpAll'
,#value_name = 'TcpPort'
,#value = #StaticportNo OUTPUT
SELECT [PortsUsedByThisConnection] = #ConnectionportNo
,[ServerStaticPortNumber] = #StaticportNo
,[ServerDynamicPortNumber] = #DynamicportNo
GO
In our enterprise I don't have access to MSSQL Server, so I can'r access the system tables.
What works for me is:
capture the network traffic Wireshark (run as Administrator, select Network Interface),while opening connection to server.
Find the ip address with ping
filter with ip.dst == x.x.x.x
The port is shown in the column info in the format src.port -> dst.port
select * from sys.dm_tcp_listener_states
More there:
https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-tcp-listener-states-transact-sql?view=sql-server-2017
If you don't want to look in SQL Server Management (sqlservermanager15.msc), then run this query in the database, e.g. from sqlcmd or ssms:
SELECT * FROM [sys].[dm_tcp_listener_states]
listener_id
ip_address
is_ipv4
port
type
type_desc
state
state_desc
start_time
1
::1
False
1433
0
TSQL
0
ONLINE
2021-01-01 00:00:00.000000
2
127.0.0.1
True
1433
0
TSQL
0
ONLINE
2021-01-01 00:00:00.000000
Thanks to #vladimir-bashutin for pointing out this one. Here is another one:
SELECT [name]
,[protocol_desc]
,[type_desc]
,[state]
,[state_desc]
,[is_admin_endpoint]
FROM [master].[sys].[endpoints]
name
protocol_desc
type_desc
state
state_desc
is_admin_endpoint
TSQL Local Machine
SHARED_MEMORY
TSQL
0
STARTED
False
TSQL Named Pipes
NAMED_PIPES
TSQL
0
STARTED
False
TSQL Default TCP
TCP
TSQL
0
STARTED
False
TSQL Default VIA
VIA
TSQL
0
STARTED
False
So now you have the port and protocol. If you don't have access to these system tables, consider using an SSRP client, such as https://github.com/adzm/ssrpc.
Try to enable the protocol by:
Configuration Manger > SQL server Network Configuration > Protocols for MSSQLSERVER > properties of TCP/IP
SQL Server 2000
Programs |
MS SQL Server |
Client Network Utility |
Select TCP_IP then Properties
SQL Server 2005
Programs |
SQL Server |
SQL Server Configuration Manager |
Select Protocols for MSSQLSERVER or select Client Protocols and right click on TCP/IP
From PowerShell you can use this to see what port your instance is using:
You can change MSSQLSERVER to your own instance name.
$wmi = New-Object 'Microsoft.SqlServer.Management.Smo.Wmi.ManagedComputer' localhost
$tcp = $wmi.ServerInstances['MSSQLSERVER'].ServerProtocols['Tcp']
$ipAll = $tcp.IPAddresses | where { $_.Name -eq "IPAll" }
write-host ($ipAll.IPAddressProperties.value)
In my case the server was remote and used a named instance. The SQL Browse Service is what will translate that into a port for the client. Just make a connection through SQL Management Studio. Perform an nslookup of the server name to obtain its IP. Then do a:
netstat -ano | findstr {ip}
Should have a few remote connections in the list all using the same port number. If the server is configured to use dynamic ports then this will change.
Perhaps not the best options but just another way is to read the Windows Registry in the host machine, on elevated PowerShell prompt you can do something like this:
#Get SQL instance's Port number using Windows Registry:
$instName = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server').InstalledInstances[0]
$tcpPort = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$instName\MSSQLServer\SuperSocketNetLib\Tcp").TcpPort
Write-Host The SQL Instance: `"$instName`" is listening on `"$tcpPort`" "TcpPort."
Ensure to run this PowerShell script in the Host Server (that hosts your SQL instance / SQL Server installation), which means you have to first RDP into the SQL Server/Box/VM, then run this code.
HTH
website needs to go live which i have placed on client server.i have gven all permissions for IIS.in web.config file i have also given SQL connection string as :
<appSettings>
<add key="ConnectionString" value="Data Source=USER\SQLEXPRESS;Initial Catalog=people_metrix;User ID=MyUser;Password=abc123"/> </appSettings>
In sql server 2005 have allowed remote connections(TCP/IP and named pipes).
but am not able to login to webasite.Username and password exist in database.
In server,firewall is on and there is no IP address(Obtains IP adress automatically).Is Login not happening due to these reasons ?
Please don't EVER use 'sa' in a connection string. EVER!
First try connecting using SQL Server Management studio with your connection string credentials (and not sa!).
Does the firewall on SQl sServer machine allow traffic on port 1433?
To allow connections to SQL Server by TCP port, perform the following steps.
Click Start | Control Panel | Network Connections
Right click on the network adapter that services inbound connections to SQL Server and select Properties
Select Advanced | Windows Firewall | Settings
Select Exceptions | Add Port
Under Name put "SQL Server" and under Port Number select 1433. Use TCP as the protocol.
Click OK to close out all dialogs.
If you're using anything other than standard TCP/IP to access SQL Server, you'll need to enable different ports. To allow RPC over Named Pipes instead of TCP, open port 445 in the same way that I described above.
See this MS support article for configuring remote connections: How to configure SQL Server 2005 to allow remote connections
You might check out connectionstrings.com
It has several connection string examples.