Hi all.
The new feature of login encryption still tortured me and my company's fellow :(
We can't use the server's profile nor server's login audit functionality.
The reason is.. they do not want any additional feature to the server even if it's just a small task.
So..
I know that self signed certi generated whenever the MSSQL server started. My question is..
1. Where is that self-signed certification. Is it loaded to memory or physical hard disk.
2. Is there any special 'store' for this self-signed certification?
I tried to find this certi from all of my store using the certutil.exe but couldn't find this certi.
3. Is there any api that find and decrypt this login info?
Thank you.
The answer to 3 is No. Why would you even need that unless you're trying to eavesdrop on server communication?
Thanks
Laurentiu
Yes, I know it's kind of sensitive question.
But, I can tell you, If you would like to develop the 3rd party product like us, there's something that opposed the mssql rule.
B/R
Hopi
I agree with Laurentiu; trying to work around any security protection around the login process should raise a red flag, even if your intentions are benign.
I would like to know more about how you are planning to use the login information you are attempting to capture. It may be possible that there are better mechanisms available in SQL server to help you in the task you need to perform, without writing an application that can be clearly misused.
Thanks a lot,
-Raul Garcia
SDE/T
SQL Server Engine
|||Hmm.. ok. I agree.
We already develop the auditing program that completely audit all information regarding login / querys / rpc. But it works only MsSQL 2K and not encrypted data. Of course, the audit server is located in the LAN where the SQL server located but not the same machine because if we use audit functionality that supported by sql, (like profile) it must be heavy stress to the machine itself. - our product works with the server that handle over 15000 qps(query per second).
The all information (include login information) is used to audit the server and our viewer can show that information. example.. user logged in and querys some information and quit. You can view this information in real time and also viewed later. That information showed who logged in when and what querys string he excute and what rpc that user used..
Yes, we still can't decrypt the login information that used in MSSQL 2005. So our product still couldn't support MsSQL 2005 either.
if you need any information, I'll send the information about our product directly to your e-mail.
B/R
Hopi
Above all, I need the option that turn on and off encryption login info.
I wish, the next sp or patch include this option :(
B/R
Hopi
Given the case that you have some control over the environment, you can try forcing your users to switch to the old (SQL Server 2000) client to connect to SQL Server 2005. The new protection is only available on the new version of the client, and the old clients will still work on SQL Server 2005.
I have to emphasize that I strongly recommend against using such environment because an attacker can capture all traffic (including the login information) the same way you are.
I also recommend reading the information available for encrypting connections to SQL Server 2005 in books on line http://msdn2.microsoft.com/en-us/library/ms189067.aspx.
-Raul Garcia
SDE/T
SQL Server Engine
No comments:
Post a Comment