encrypt vs. Integrated Security vs. Persist Security Info

[Dino Buljubasic]

Can somebody explain me this please. This is what I read in one
article:

Protect the Credentials for SQL Server Authentication

If you must use SQL Server Authentication, make sure the credentials
are not sent over an unencrypted channel in plain text. You must also
encrypt the database connection string before storing it, because it
contains credentials. To secure the connection string, use DPAPI.

To enable SQL Server to automatically encrypt the credentials sent
over a network, install a server certificate on the database server.
Alternatively, use an IPSec encrypted channel between Web and database
server.

now, I know of 3 properties in connection string:
1. encrypt - which requires SSL Certificate installed on SQL Server
2. Integrated Security or Trusted_Connection - which when set to true
uses Windows account credentials for authentication. When set to
false, user id and password are specified in connection string
3. Persist Security Info - which set to false does not provide
sensitive info such as user id and password

My questions is how much that number 3 protects my connection string
properties (such as user id and password) from sniffing if at all and
if not, what is the real purpose of this property?

Thank you
Dino

 

[William \(Bill\) Vaughn]

#3 simply protects the ConnectionString from being "sniffed" by other parts
of your application that have access to the Connection object--even
indirectly. Once set the ConnectionString not longer includes the security
credentials--it's kept behind the scenes so ADO can use it, but it's not
exposed by inspection.

hth

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________