patternsqlModerate
Is the data exchange on connection from client to server sent as plain text over the wire?
Viewed 0 times
theexchangetextsentclientwireserverfromdataover
Problem
I have a new SQL Server 2019 on-premises instance. Assuming the client is the SQL Server Management Studio or any other application:
Active Directory authentication is considered to be more secure
because SQL Server authentication allows for login information to be
seen in plain text while being passed across the network.
- When the client connects to the server using SQL Server authentication, does the connection request go from the client to the server as plain text? In other words, are the authentication credentials exposed (plain text) over the wire? In other words, can an attacker see the username/password on the wire? MSDN doc (https://learn.microsoft.com/en-us/learn/modules/configure-database-authentication-authorization/3-describe-authentication-identities) says:
Active Directory authentication is considered to be more secure
because SQL Server authentication allows for login information to be
seen in plain text while being passed across the network.
- Subsequent to the authentication, and assuming TLS is not configured, then is the query (example: SELECT) and its output visible as plain text over the wire?
Solution
are the sql authentication credentials exposed over the wire?
No, login traffic is always encrypted over the wire. From this documentation page:
SQL Server always encrypts network packets associated with logging in.
If no certificate has been provisioned on the server when it starts
up, SQL Server generates a self-signed certificate which is used to
encrypt login packets.
I understood "exposed" to mean not encrypted, exposed as plain text over the wire. The documentation link above addresses the larger security questions about using self-signed certificates:
By default, encryption of all network traffic for a connection requires that a certificate be provisioned on the server. By setting your client to trust the certificate on the server, you might become vulnerable to man-in-the-middle attacks. If you deploy a verifiable certificate on the server, ensure that you change the client settings about trust the certificate to FALSE.
Run a trace of network traffic and you will never see SQL login credentials in clear text.
No, login traffic is always encrypted over the wire. From this documentation page:
SQL Server always encrypts network packets associated with logging in.
If no certificate has been provisioned on the server when it starts
up, SQL Server generates a self-signed certificate which is used to
encrypt login packets.
I understood "exposed" to mean not encrypted, exposed as plain text over the wire. The documentation link above addresses the larger security questions about using self-signed certificates:
By default, encryption of all network traffic for a connection requires that a certificate be provisioned on the server. By setting your client to trust the certificate on the server, you might become vulnerable to man-in-the-middle attacks. If you deploy a verifiable certificate on the server, ensure that you change the client settings about trust the certificate to FALSE.
Run a trace of network traffic and you will never see SQL login credentials in clear text.
Context
StackExchange Database Administrators Q#306116, answer score: 11
Revisions (0)
No revisions yet.