APP135: Database Password Protection in Transit.

Does the application enable/implement a secure protocol (e.g., SSL) to protect database passwords in transit?

Guidance: Database connection strings containing passwords must be encrypted in transit when the application and the database are not running on the same platform. In general, most database systems support a secure protocol (e.g., SSL/TLS) for this purpose. When a secure protocol cannot be enabled or applied, IPSec or other secure protocol can be considered as a last resort for host-to-host encryption.

  • JE

    As recommend by Microsoft (Protecting Connection Information - Microsoft Docs), connection strings should use Integrated Security. By selecting this option, there is no need to specify, save or transmit database passwords. The following is an example of a connection string using Integrated Security::

    Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;
    Initial Catalog=QuickView;Data Source=SRV01

    Please note that for the above connection string:

    • There is no SQL server user Id or password to be saved or transmitted.
    • The Data Source parameter is the name of the SQL Server to which the application server will connect;
    • Save the connection string to the QuickView.udl file in the program directory on the server.

    Additional References: Databases

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID



January 21, 2021 05:49 PM