Encrypting connections to SQL Server ensures authorized communication between clients and the server. By default, most communication with SQL Server is in plain text. This can allow important information to be gathered about your database that can be used in an attack. Encrypting the connection will help to protect this information as it travels between the server and clients.
SSL and TLS
Secure Sockets Layer (SSL) is an encryption-based security protocol that was introduced by Netscape in 1995 to ensure privacy and data integrity in internet communications. The latest update is SSL 3.0 which came out in 1996 and has several known vulnerabilities. It is considered deprecated and is not supported by SQL Server 2016+.
In 1999, the Internet Engineering Task Force (IETF) proposed an update to SSL. Transport Layer Security (TLS) is the successor to SSL which is still used today. The terms are often used interchangeably due to the name recognition of SSL, however, TLS is the protocol generally used. It is the protocol supported by SQL Server 2016+ and Microsoft has released updates to use TLS as far back as SQL Server 2008.
Certificates
SSL and TLS encryption both require a trusted certificate to encrypt the connection. There are a couple of options available for certificates.
- Self-Signed Certificates – These may be sufficient for some SQL Server environments, but it can be less than ideal for many production environments. The certificate would need to be explicitly trusted by each client.
- Certificate Authority – This can either be an enterprise CA or a third-party certificate authority such as DigiCert. Many of the third-party options do come with a cost, however, there is now a nonprofit CA Let’s Encrypt that provides free certificates.
Force encryption
Once a certificate is in place and configured for SQL Server, the server will accept both encrypted and unencrypted connections. If you require all connections to be encrypted, the force encryption setting will require that all connections to SQL Server be encrypted. This will cause any unencrypted connections to fail so verify that all clients support the encryption before using this feature.
Final Thoughts
With the number of cyberattacks on the rise, more organizations are looking into ways to protect their data. Encrypting your SQL Server connections can play an important role in keeping your data safe, however, eliminate the risk entirely. This should be one piece of a larger effort of implementing security best practices and keeping systems up to date. As with most changes, this should be carefully planned and tested to ensure it is supported by your applications before using in production.
If you have any questions in applying this information to your specific situation contact us and we will help.