Wednesday, September 16, 2009

SQL Network (Transport) Level Encryption. (TDS)

By default, Microsoft SQL connections only encrypt the login credentials. Everything else can be sniffed right off the wire. Sql 2008 (and some earlier versions) allow you to do encrypted SQL connections pretty easily. Here is how.

You will need:
Sql server (well duh!)
A certificate server or "MakeCert".
On Windows server 2008, "WinHttpCertCfg".

MakeCert is a tool to "easily" make a self-signed certificates without installing a full Certification Authority. It is part of the Windows SDK available from here. I am on XP, but downloaded the Windows Vista version, Ran Setup and DE-selected all of the items except for the SDK. Total download size was about 18mb.

Since my SQL Server is Windows 2008, I also needed WinHttpCertCfg. This tool is needed on Server 2008 to set permissions for the Private Key. More on that in a second. That is available here.

So, lets get to work.

First, you need your database server's FQDN. This is the windows FQDN, not your internet FQDN. Right-Click "Computer" or "My Computer" and write down the "Full computer name:" On Server 2008 this is on the "System" pane. On prior versions of windows this is on the Computer Name tab.

Next you get to make your certificate. If you have a domain CA, go request a computer certificate, install it, and skip down to the "Assigning permissions to the service account" step. If you don't have a CA, we can use MakeCert.

The command for makecert is:
C:\Program Files (x86)\Windows Resource Kits\Tools\makecert -r -pe -n "" -b 01/01/2000 -e 01/01/2036 -eku -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\MyCertificate.cer

The certificate will be saved to c:\MyCertificate.cer.

Now we import the certificate to the Local Machine's Personal store.
Start -> Run -> MMC.
File -> Add/Remove Snap-in -> Certificates -> Add -> Local Computer -> Next -> Finish -> Ok.
Expand Certificates and Right-Click the "Personal" Store. Select "Import".
Browse to c:\MyCertificate.cer -> Next. There is no password -> Next -> finish.

Almost Done. Now we need to give the SQL service account permissions to the private key of the Cert.
Pop open your command prompt and run this command. You need to substitute the appropriate Server FQDN ( and the SQL Service account. (SqlServiceAccount).

C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s -a SqlServiceAccount

Next, Enable the Sql Encryption.
Start -> All Programs -> Microsoft SQL Server 2008 -> Configuration Tools -> Sql Server Configuration Manager.
Expand "Sql Server network Configuration" and Right-click Protocols for MSSQLSERVER. Select Properties.
On the Certificate tab, Select the certificate.
On the flags tab, Select "Force Encryption=Yes"
Click ok.
Click ok to close the warning message.

Finally you need to restart the SQL Server service.

Viola! Network Encryption is done.

MS KB316898 is the reference for this topic.

For the record, this is a "weak" security measure. It only does encryption. It still can be defeated with a man-in-the-middle attack, because SQL doesn't verify the certificates.

Elizabeth Greene