The environment setup has an ASP.NET webservice on IIS 6 connecting to a SQL Server over the network.
I am trying to understand, whether it's possible to secure the calls between IIS and SQL Server 2008. Is it possible? Is it something on the lines of SSL?
thanks for reading!
If you still want to after Pierreten's answer...
Yes, you can enable SSL Encryption for all SQL Server connections.
SQL Server SSL Encryption, server side, is described here. And in KB 316898 too
"Server side" requires only a server certificate and all connections are encrypted
"client side" requires client certs and is optional, and only for that client
Certain client libraries (notably MS JDBC) do not support server side s you may invalidate your host's monitoring (This has happened to me a time or 2)
a blog entry too
Assuming your SQL box is on the same network as your iis box hosting the service, and both are tucked away behind a firewall, there's no need for that extra security
If both machines are in the same domain, an efficient and easy to manage way to secure the link is by using IPsec.
Related
I have a single Windows application (.NET) on serving as a server and communicating with the database. I also have client Windows applications (.NET) which communicate with the server application. Pretty standard so far.
As of now, I am using the IP address of the server, say "192.168.1.114", which I enter in my client software to establish the link. For instance, "http://192.168.1.114".
Now, I am trying to change that connection to HTTPS. Is there any way I can do that without actually changing the codebase? (I don't have the source code)
Any IIS certificate? Require SSL? Machine Key? Binding? Anything! I just want those packets to not be transmitted with regular HTTP.
Thank you so much, dear Community.
I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.
Each server acts as both client and server of some WCF services. These services are few (1-2 per server) and light (a little data is transferred on each call).
I can use self-signed SSL certificates or X509. I'm looking for some way to make sure nobody from internet can call a WCF service on a server. New server would be added in the future.
I read about WCF but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use...
I need some hints to start (please provide a link to a sample.
I would use a certificate-based authentication where both client and server are authenticated.
To make things more secure, do not use self sign certificates.
If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.
WCF security is a big topic, but there are some other non-WCF specific ways you can secure the service:
Use IP SEC to secure the communication channel
Use IP whitelists to grant / deny access to the port that the WCF endpoints operate on
Use a VPN Solution (particularly convenient if your company already has a site to site VPN)
I have problems connecting to my database server. The database server is not local, I am connected via its IP address.
It works fine in my development machine. After publishing the website to my server, it can not connect to my database server.
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
Why can't my publish server connect to the database server, whereas it works fine through the development machine?
I often had that problem. Mostly it's because of two problems.
Open the SQL Server Configuration Manager.
Check if the SQL Server Network Configuration supports TCP/IP, if it's disabled, enable it.
e.g. SqlServer 2005 Network Configuration, Protocols for SQLEXPRESS
Open the SQL Server Management Studio
Click on the Sql Server Properties (right click on the server name and
select properties).
After that, select the page "Security" and switch the check to "SQL Server and Windows Authentication mode".
That's all.
I'll attempt to go two for two on the psychic debugging for today...
I will assume that you are not using integrated security? If so it might explain things as the account on your local machine probably has permissions, but the SYSTEM account that is running on the server does not. Just a shot in the dark though.
It sounds like your server can't make the network connection, rather than a security issue.
Ensure that any firewalls on both the DB and app servers allow traffic on the port (1433).
Ensure you're able to ping or tracert from both machines.
Is it your first time you publish your website on the web server ? if it is , Are you sure you have set your connection string properly ?
You need to create a login ( of curse a password for that too ) and the IP Address of that SQL on the web server .
So you need IP Address of the sql server host , Database Name , UId , Pwd .
I will agree that this sounds like a network issue and not a security issue.
Remote into the web server and ping the DB server by IP address. If this does not work, your server cannot see the DB server via that address (different subnet, incorrect firewall/proxy setup, etc). There may be a proxy address you must use to get to the DB server from the web server, or your web server may also be the gateway and IIS doesn't know to look for the DB server on the LAN. If it does work, the computers may not be talking on the same port, or the firewall may be blocking that port exiting the web server.
I have spent hours trying to connect to SQL server using sqlcmd. I disabled my firewall, checked all ip listed in "Protocols for SQLEXPRESS", edited my hosts file. I tried using different ips and machinename to connect to the server. But none of work worked. After hours of investigation, I found out that I made absolutely stupid blunder making me unable to connect.
I want to remind people that the connection string is not case sensitive. But the option is!!
what i did is I put
sqlcmd -s .\sqlserver
But the correct string is
sqlcmd -S .\sqlserver
so watch out, people
I have an application that runs on a client's server built on a SQL Server 2005 database.
We have now developed an ASP.NET v2 application which connects to this database. This web application will be hosted on an ISP's server but needs to access the SQL Server database on the client's server.
The client's server has a firewall and so forth so I assume it should be possible to make the SQL Server accessible via the Internet but of course I am woriied about security. Can someone point me to some best practices to achieve this.
can you develop a web service to run on the client's server? you probably want to avoid opening SQL Server to the world.
Best practice: DO NOT DO IT. Lets leave security concerns aside - the ip delay will significantly slow you down. Try it out first, but the large ping times MAY be terrible for you.
THat said, all you noramlly have to do (not assuming reconfiguration) is to allow:
* The server somehow to be reached
* On Port 1433 (default port).
Use A VPN or IPSEC to secure traffic and make sure that "accessible through the internet" is not "accessible for every idiot out there". The ISP admin should be able to help you, or the customers admins. But I would not do it - the performance may not be to your liking. Test performance out first.
Is it possible to have a FTP server using SSL on a application server that does not use SSL?
How would you setup an ASP.NET 2.0 to consume a SSL certificate?
This certianly sounds possible but is it advisable, is it good practice?
The choice on using SSL us made on a per connection level, usually determined by the IP port being used (i.e. will be set up between client and server before any application code involved).
The same service/content could be set up on multiple ports each with a different choice for SSL.
The certificate is per host name, but servers can generally support appearing under different names.
To use SSL with ASP.NET takes nothing special, it just works once the IIS web site is configured to support SSL (or to require it: when connections to port 80 for HTTP are redirected to the SSL port); this choice can be made on a per folder basis.
FTP is at the application layer, and SSL is lower, at the presentation layer. The SSL sessions are on a per connection basis. Take a look at the Wikipedia page. The SSL connection is established before anything happens with your application. Your FTP server probably isn't running inside your .NET application server, is it? You should be able to setup an SSH server listening for SCP connections separately. If it really does run from inside your app server, you should be able to listen on a separate port for the SSL connection.
Short of any of that, heres a good link for configuring SSL in IIS. You don't have to make the certificates mandatory. That way you can allow unsecured traffic and secure traffic if that fits in with your application model.
While protecting an application with SSL is always a good idea, it is technically not trivial.
Having a web application protected with SSL requires the webserver to be reachable on a new port (443/https instead of 80/http). This has to be configured "system-wide". Also, there may be only one certificate per IP-address, which is often a problem when hosting multiple domains on the same server.