I recently made a small app for a friend and then made it a public app, in doing so I forgot that it connects to my MS SQL DB and checks for values. Someone used Red Gate .Net Reflector to get my password and destroy it all. I've contacted their ISP and they are looking into it, apparently this person has a static ip with them.
So this is a lesson learned at a heavy price for me. How can I prevent this from happening again? How can I get away from the unsafe connection string they were able to use?
Never hard code connection strings. Use the configuration section provided for it (connectionStrings), and if really paranoid, encrypt it.
If you are using a shared database, you should not even have a connection string on the client, but create a service point (for example a webservice) that will connect to the database on their behalf. The client can connect to this and your connection string is safe behind your service, which is in your control and on your server.
Don't expose a database connection, but have your app communicate through a webservice, or similar, that only has methods and privileges, to do what the app needs.
If you absolutely need the database connection, make sure the user only has read permissions on the database.
Encrypting the connection string is a start, but your program will have to know how to decrypt it for it to be useful. If your program can decrypt it, an attacker will also be able to - you can only affect the amount of work he needs to put in it.
Therefore, in my opinion, you should expose a read-only service.
If it's a public app, you need to provide individual logins for each user or have a proxy sitting between the database and the application which authenticates the users and talks to the database.
Encrypting the connection string wouldn't help much, I think it can be easily decrypted with built-in tools or with Crack.net.
If you're suuuper paranoid, prompt the sysadmin for the password each time the application starts (maybe an admin interface.) That way it's only memory resident.
I love this question. Like driis said, even with encrypted connection strings you need to store a password (or key, or whatever) to decrypt your encrypted connection string. Just more layers of the same problem.
Using connection strings and encrypted sections in you config will won't stop this type of attack, it's only designed to make the config file unreadable on a machine other than which it is installed.
The only safe way is to create a web service that connects to your database to retrieve the data, and then make sure that the web service logon only has the minimum permissons required, or force the user of the web service to logon and them impersonate that user for the database connection.
It appears you don't have firewall protection to stop external connections directly to your database so I wonder what other even more dangerous ports you may have exposed to the internet???
Using a firewall to limit access to your server to http, and https protocols would reduce the chances of a successful attack.
Related
I'm considering using remote OS authentication to connect to an Oracle database (version 11g). What are the guidelines for using [remote_os_authent]
Here's what I want to do:
We set up a catalog DB to used by RMAN to store metadata about Oracle databases.
I want to connect to the catalog DB via the local machine and execute this command for resync catalog db:
rman target sys/pass#localdb;
connect catalog catuser/password#catdb;
RESYNC CATALOG;
Is it possible for me to do this through oracle Enterprise Manager job?
(I did this process by calling the execute file, but the problem is that the passwords are clear in the executable file.)
I need it because I do not want user passwords to be available and visible.
I can't use oracle valet for passwordless connection.
Using remote os authentication is considered a bad habit because it is insecure.
If you want to have scripting without having to store passwords in a readable format to prevent leaking passwords, easiest is to use the oracle wallet for this.
This still keeps you busy maintaining passwords in the database and in the wallet but it is pretty safe.
Your connection would be something line sqlplus /#tns_alias
where the tns_alias is the key into the wallet that fetches the username and the password.
An example of setup can be found here: http://ronr.blogspot.com/2017/01/cleartext-userid-and-passwords-in.html
An other option could be to enable Central Managed Users (CMU) and kerberos. This does need quite a bit of setup and is less suitable for scripting. For interactive use it works very nice, assuming you have kerberos correctly setup.
An example of CMU setup can be found here: https://blog.pythian.com/part-1-creating-an-oracle-18c-centrally-managed-users-testbed-using-oracle-cloud-infrastructure/
Please change back remote_os_authentication to false. It is not safe because users can easily be spoofed.
I have a VB.NET application that utilises databases in an SQL server. I am currently testing the application on the same computer the server is hosted on.
I connect to the server through the following connection string...
("Data Source = " & Master.CurrentIP.Text & ",1433;Network Library=DBMSSOCN;Initial Catalog=ExcelDM;User ID=" & Master.CurrentUser.Text & ";Password=" & Master.CurrentPass.Text & ";")
"Master.CurrentIP.Text" refers to my public IP address and not my computer's.
Basically, everything works perfectly when I test the application on this computer. I am wondering if I can use this as a test for other computers joining or not. Should I host my server on something that isn't my computer?
To clarify, remote connections is enabled on the server and port forwarding (port # 1433) is open both incoming and outgoing through windows firewall and my router port forwarding settings. All TCP/IP options are open in the SQL configuration manager etc.
Based on your comments, I'd make the following assumptions:
You aren't holding any sensitive data, so security isn't a major concern
You are going to be running this on a LAN (local area network) and not over the web
If that's the case I'd suggest the following:
You are fine testing on your local machine - the connection will work the same over any protocol on local or remote, and given the small amount of data in a D&D campaign, you probably aren't going to be worried about performance even if your application is very chatty with SQL server
Put your connection information in the application configuration file, this is supported in .NET framework with some helper types like ConfigurationManager where you can access connection strings like so:
Config file:
<connectionStrings>
<add name="MyConnection" providerName="System.Data.SqlClient" connectionString="server=somehostname;database=Dungeons;uid=user;password=password" />
</connectionStrings>
c# code
string connectionString = ConfigurationManager.ConnectionStrings["MyConnection"];
See here for more details:
https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files
Since your friends probably don't want to mess with your SQL server and you are probably not joined to a windows domain, I'd say you are fine with putting secrets (user/pass) in the connection string in the configuration file
I'd not bother with what I said about Windows security - basically the users on the client machines would be used as credentials to the SQL database, this would be a bit more of a headache to configure if you aren't all joined to a domain rather than just embedding a SQL user/pass in the config
** Edit: **
Further to conversation, if you are writing an app that clients will be accessing over the web, using a direct SQL connection is not usually the best idea, but it can work if you can manage your clients/IPs.
Generally, opening your SQL server up to the internet is just asking to be attacked - and unless your SQL server is up to date, this can lead to the host machine being compromised.
At best it's an inconvenience, but if you are using that machine for anything other than D&D data, then you probably don't want someone snooping around on it.
In the case that you don't want to change your application architecture
You can whitelist your clients in SQL server/on the firewall. Since it's only friends (let's say 10-20 people?), you can manage their IPs without too much trouble.
This prevents the general internet from being able to access your server.
You could also use a VPN (either software or on your hardware if your router supports it). This also has the effect of putting your clients on your LAN essentially, removing the need for any firewall config apart from the VPN itself.
In the case you are interested in changing your app architecture
You can use a service based approach. This is what is generally used to secure web-based services - .NET framework supports this with WCF (Windows Communication Foundation).
This allows you to define service contracts that your server/client can adhere to.
The communication protocol/method itself is decided via configuration, so you can change what mechanism is used to communicate between client/server after-the-fact without having to change your application code.
This does require you to write a service layer though - you won't be able to directly access SQL from your client, but it could be a useful learning experience, especially if you are interested in doing work like this in the future.
Read about WCF here:
https://learn.microsoft.com/en-us/dotnet/framework/wcf/whats-wcf
There's also the REST based approach which sits down at the HTTP level, .NET framework can support this via ASP.NET web API.
https://dotnet.microsoft.com/apps/aspnet/apis
... so in short, there are a few options
I have a mssql 2005 and software (that written by visual basic 6) and the software connects to the mssql.(local)
but the problem is that the "sa" user password changes every day!
And the company that write this software does not give us the password.
And the windows authentication does not work and I think that they delete the windows user too.
I searched on the msdn and ... that i found in the LAN, packets from clients were encrypted in SSL type and sent to the mssql and in a specific packet it includes the username and password of the db, and if that user&pass is same with db user&pass it can be full access to db.
I used backtrack & metasploit but it use dictionary for attack but it did not help me .
I used wireshark for finding that specific packet , then i think i found it (99% I sure) but that packet has a lot of unclear characters and i could not find those.
do you think that if i use SSLSTRIP to make a fake certificate then use it between client and server (as a gateway) can i get that? How?
can I use single user mode to add any user to mssql? How?
You are totally approaching this from the wrong angle. You have a software package that goes at extra lengths to prevent access to your data. You problem is the vendor, ditch him. Use a different software, one that has a rational vendor behind it.
Here are the MSDN official, approved, methodology to regain access on a SQL Server that had locked out administrators: Connect to SQL Server When System Administrators Are Locked Out
Quick...
How to use Windows Authentication to SQL Server with the Mono SQL Client running on Windows without a username+ password in the connection string?
More...
We have to use Mono to support multiple platforms for some components of our app
This is an external limitation that we can't change
We will run the components that access the database only on Windows
The portability/OS-agnostic features of the Mono SQL Client add no value
That is, any component running on non-Windows will not access the SQL Server database
The process runs under some Windows user (real user, service account, whatever)
Embedding username and passwords is a bad thing
No matter what angle you come from
So, how can we enable the Mono SQL Client to read the NT Logon Token of the user running the process and pass this to SQL Server? Just like MS .net does?
Is there a flag or setting that isn't well documented
Do we need to implement our own extension?
If so, are we really the first folk to want to do this?
There are 5 other questions (currently) tagged Mono and SQL-Server: they don't answer this...
This is not as easy to accomplish as it sounds. As I'm sure you know, Mono SqlClient has support for NT authentication:
Has a connection string format for NT Authentication:
Server=hostname;Database=databaseName;User
ID=windowsDomain\windowsUserid;Password=windowsPassword;Integrated
Security=SSPI
But of course, you want the simpler form of Integrated Security=SSPI and let the NT authentication handshake use the current process credentials. And here lies the problem. While trivial to retrieve the current process user name (identity), is impossible for a process to discover it's own credentials password. When doing NT authentication an Windows process does not actually do the authentication, but instead is asking the Locas Security Authority (aka. LSASS.EXE, trivia: don't attach a debugger to it ;) ) to authenticate this process. Which means that any library that wants to achieve the same must use the same protocol, ie. ask LSA to authenticate it. The actual details, for the curious, are in the sequence of AcquireCredentialHandle, InitializeSecurityContext, AcceptSecurityContext as described in Using SSPI. I did not study the mono source for SqlClient, but I'm pretty sure they use some GSS-API library for the authentication, not SSPI. therefore, by definition, they require to know the password since they are going to do the Kerberos exchange themselves, not ask LSA to do it on their behalf.
This is, as you can tell, speculation and more of a guess on my side, but I would be surprised to hear a different story. While it is certainly possible to fork or patch Mono.Data.Tds and
modify the authentication implementation to use SSPI instead of GSS, this would, by definition, be a non-portable Windows specific implementation. I would guess there is little incentive for it given that the #1 attraction point of Mono is that is not Windows specific. I'm afraid you are going to have to implement it on your own.
Use NTLM Authorization Proxy Server and connect to SQL Server through the proxy.
I guess everything is possible but I am wondering how easy is it for someone to hijack a connection string with a network packet analyzer or equivalent tool.
A winforms application fetches data directly from an MSSQL server.
(Supposing there are no webservices in the middle for extra protection)
1) Is it possible for someone with an analyzer to read the connection string as clear text?
2) The connection string could be protected with an SSL certificate?
3) The SSL certificate should be installed on the SQL server?
4) I already own an SSL certificate https Could I install it also for the SQL server?
5) The speed of the the return data, will be reduced due to SSL?
Thanks in advance
Yes. If they're on the same network as the packet sniffer (henceforth "the sniffer") and the connection string is in plain text it's easy. Using a switch instead of a hub will not make it any harder to do this.
still possible using a man-in-the-middle attack. Channel binding is designed to detect and prevent this, along with careful examination of the certificate received by the client. Client certificates would help strengthen this as well
yes it should
as long as the host name matches the sql server exactly it should work, otherwise you'll need a new cert.
it probably will reduce the speed but not by much. Benchmark it and see if the slowdown still gives acceptable performance; there's no other way to predict the impact with any degree of reliability.
One other thing: if the connection string is encrypted I can still analyze the packet to find your server's location and if the data being passed back and forth isn't encrypted I can still read it even if I can't connect to the sql server. I can also potentially modify it. This is why it's unusual for a SQL connection to exist over the internet and why it's usually either connecting to a DB on the same server, connecting via a local network, connecting via a VPN, or encrypting the whole data stream.
If it isn't encrypted, it can be read, yes. Note that the SQL Native Client may often perform a non-SSL based encryption (depending on lots of factors), but yes, it can also be encrypted with SSL; see technet. And yes, it slows things down slightly. The requirements for the certificate are all in the technet article. But please don't expose your db server to the internet...