小贝子编程

阻止通过ODBC与SQL Server的未加密连接



我最近启用了与我的一个SQL Server实例的加密连接。我有DSN ODBC必须连接到此实例的软件。

数据库在W10 PC上,而客户端是W11 PC。

我希望客户端发送到服务器和服务器发送到客户端的数据都经过加密。按照微软的官方指南(我留下下面的链接(,我设法配置了连接,但我看到,如果我创建一个新的ODBC连接;对数据使用强加密";标志我仍然可以读取和写入数据到数据库。在我看来,任何人都可以连接到数据库,即使没有证书,这是没有意义的。

如何阻止/阻止未安装证书的PC连接到数据库?

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver16

无论客户端ODBC DSN设置如何,数据都将使用服务器的证书进行加密"对数据使用强加密";在数据库服务器上设置强制加密时。以下是ODBC驱动程序文档的摘录。

+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| Encrypt Setting | Trust Server Certificate | Server Force Encryption |                                                       Result                                                        |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+
| No              | No                       | No                      | Server certificate isn't checked. Data sent between client and server isn't encrypted.                              |
| No              | Yes                      | No                      | Server certificate isn't checked. Data sent between client and server isn't encrypted.                              |
| Yes             | No                       | No                      | Server certificate is checked. Data sent between client and server is encrypted.                                    |
| Yes             | Yes                      | No                      | Server certificate isn't checked. Data sent between client and server is encrypted.                                 |
| No              | No                       | Yes                     | Server certificate is checked. Data sent between client and server is encrypted.                                    |
| No              | Yes                      | Yes                     | Server certificate isn't checked. Data sent between client and server is encrypted.                                 |
| Yes             | No                       | Yes                     | Server certificate is checked. Data sent between client and server is encrypted.                                    |
| Yes             | Yes                      | Yes                     | Server certificate isn't checked. Data sent between client and server is encrypted.                                 |
| Strict          | -                        | -                       | TrustServerCertificate is ignored. Server certificate is checked. Data sent between client and server is encrypted. |
+-----------------+--------------------------+-------------------------+---------------------------------------------------------------------------------------------------------------------+

在我看来,这毫无意义,然后任何人都可以连接到数据库,即使没有证书。

您可能混淆了身份验证和加密。加密密钥交换发生在初始数据库连接期间,与身份验证无关。使用Windows身份验证可获得额外的安全性,因为它最终使用证书来验证用户身份。

您可以使用登录触发器阻止该特定连接。但你需要知道你在做什么,如果你写了一些错误的SQL,所以没有人再连接了,所以你需要在本地机器上使用管理控制台SQLCMD禁用触发器。我建议你首先了解如何使用触发器。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium