0

I am planning to make a VB.Net application that is hard coded to access an MS SQL database hosted remotely on a web server. Is there a way for someone using some packet sniffing (I think it is called) program on the client PC to somehow know what password was used to access the database? I don't need to know how it is done, I just need to know if it can be done so that I know if my approach is safe enough.

Thanks!

Osprey
  • 1,523
  • 8
  • 27
  • 44

2 Answers2

1

If you only care about protecting the login to the database, then you're OK, according to this MSDN article:

Credentials (in the login packet) that are transmitted when a client application connects to SQL Server are always encrypted.

But if you also care about protecting the data, then you should read the rest of the above MSDN link to learn about enabling SSL to protect the rest of the data stream.

Note also this older article which gives a caution on using ODBC connection (rather than the native tyep). I doubt you would be doing that, but just thought I'd mention it.

explunit
  • 18,967
  • 6
  • 69
  • 94
  • Thanks. I am not concerned about the user seeing the data that is being transmitted back and forth since that information is pretty much known to the user. What worried me is that through some readily available software, a user could see the connection string which would enable him/her to see other database information that he/she is not entitled to (such as other user's data). That said, I am not expecting people to invest too much effort in trying to get the data (no military secrets here). So that answers my question! :) – Osprey May 09 '13 at 05:56
0

From a client machine, it is unlikely that your database information can be sniffed. However, if your application "leaks" information, it is possible for an outsider to get sensitive information about your database. For example, if you have the CustomErrors parameter set to "Off", and your database is inaccessible for any reason, users may see your database's address and can then proceed to attack it using brute force or known exploits. There are other ways you can leak sensitive information this is just one example.

In general, it is not ideal to have your database open to the internet -- it is generally advised that your database be behind one (or two in case of a DMZ) firewalls. If you can control this, you should move it somewhere more secure. Or else even without your application leaking its address, a port scanning "war dialer" will eventually find it and alert the "bad guys" to its existence.

mikey
  • 5,090
  • 3
  • 24
  • 27
  • Thanks for the information. I realize that a sufficiently motivated hacker would find a way to hack into my data. However, we are not talking about very sensitive data that would give someone enough motivation to put much effort in. My worries are with some readily available, easy to use app that could quickly reveal the connection string being used by my app and giving access to the whole data. – Osprey May 09 '13 at 06:00
  • The web.config is pretty well protected by the framework, but I believe there was a vulnerability at one point which would allow attackers to view it remotely. You could look into encrypting your connection string that can secure it a bit more.. – mikey May 09 '13 at 13:12
  • Since this is a compiled exe application it won't need a web.config file. Thanks for the tip though! :) – Osprey May 10 '13 at 05:36
  • Oh, in that case, it can be easily decompiled, revealing everything (username, password, address, etc.) about the database (I urge you to try it with the demo version of .NET Reflector). – mikey May 10 '13 at 23:35