4

I am working on WPF app that connects to Azure SQL using EF 6 and defined connection string ( no Web Service to save money on Azure running SQL and Web server ).

So my question is how secure is such connection?

I have in connection string Encrypt=True ( so I am using SSL ). I am using AD user credentials to connect to DB itself ( combination of AD user and corresponding contained DB user, unfortunately username and password are in config files of app ). I have registered app in Azure AD and gave it permission to access DB using this contained DB user matching AD user. ( I am using this app client id to identify that communication comes from my WPF app ).

The only threat I can see here is if someone gain access to computer with app installed and retrieves from config files all those information needed to establish connection and authenticate it.

But I am really weak in networking stuff and I have no idea if someone can obtain those information from snuffing network traffic. ( tried to use wireshark myself but it all looked pretty gibberish to me )

So has anyone any idea how such communication can be corrupted in any way?

Improve this question
2
  • 3
    If you are going to distribute this WPF app you most certainly do not want to have it speaking directly to a SQL server. Put a Web API between it so that your configurations dont have to be distributed along with your WPF app Commented Oct 22, 2018 at 16:46
  • 1
    I am not going to distribute it widely. It will be installed on 2 computers and that's it. It's a really small company that don't want to spend much more money for PoC. Maybe later on but right now that's all I can work with. Commented Oct 22, 2018 at 17:14

1 Answer 1

Reset to default
4
Answer recommended by Microsoft Azure Collective

SQL Server and SQL Azure support encryption for database connections (encryption in motion). Please be aware that SSL is the older term for this - the current best capability supported to talk to the SQL engine (in either context) is TLS 1.2. Note that you need to have the right (up to date) versions of client drivers to be able to get this security when talking to SQL Azure. SQL Azure enforces encryption by default when using these drivers. You can read the current state of this in this post: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

With respect to your broader question, there are lots of things you need to consider when writing an application (2 tier or 3 tier). You should be looking at the firewall on Azure SQL DB to lock down whatever path you enable. You should use the SQL permission model to limit what each user/role can do when operating in the database. You should use audit to track who connects to the db (and from where). You should make sure you are using TDE (on by default in SQL Azure for new DBs). There are additional security features in SQL that may also be useful to you (row level security, data masking, always encrypted, etc). The networking part is really just the starting point for designing a secure solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Ok good to know that driver enforces TLS 1.2. That's valuable information. I know that there are many security layers that I can implement in SQL DB itself. That I actually did. I worry about networking stuff because that's where my knowledge gap is. That's why I wanted to know if it is possible to retrieve all credentials needed to connect from requests to Azure SQL itself.
I suggest you attach a packet sniffer on your client and validate that you are happy with it. Note that down-level drivers may not support TLS 1.2 (and some of the more experimental drivers for other languages may not implement it at all). I believe that those can fall back to unencrypted. So, trust but verify for your scenario. I don't yet have a date for TLS 1.3 support but that standard was recently completed and it's something that we'll be examining on when we can get that support into the drivers as well.
I accepted this answer as it was already a week and no one provided any more insightful answer. Altough I asked about a possibility to listen to such connection and hijack credentials, there are here useful information about Azure using TLS 1.2.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.