SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
Ensure that the client code enforces the
Encrypt option by setting it to
true in the connection string.
The following example shows a SQL connection string that is not explicitly enabling the
Encrypt setting to force encryption.
The following example shows a SQL connection string that is explicitly enabling the
Encrypt setting to force encryption in transit.
- Microsoft, SQL Protocols blog: Selectively using secure connection to SQL Server.
- Microsoft: SqlConnection.ConnectionString Property.
- Microsoft: Using Connection String Keywords with SQL Server Native Client.
- Microsoft: Setting the connection properties.
- Common Weakness Enumeration: CWE-327.