Security Risk: Using SQL Authentication for the Profiles Resource

  • Article

When you use the Profiles resource in Commerce Server Manager to connect to a profile definition stored on a remote computer, the remote computer returns the contents of the ConnStr field of the SourceDef table in clear text. These contents are the connection strings to data sources where profile data is stored. This is a security vulnerability. Anyone monitoring network traffic would be able to access these connection strings and get sensitive profile data.

To secure the connection strings to the Profiles database, you have two options:

  • Configure the Profiles resource to use Windows Integrated Security. This is the recommended configuration.
  • If you must use SQL Authentication, deploy encryption on the named pipes: use IPSec authentication, enable Secure Sockets Layer (SSL) encryption, and enable multiprotocol client encryption. For instructions, see SQL Server Books Online.

Copyright © 2005 Microsoft Corporation.
All rights reserved.