Configuring MS SQL for SSL/TLS

  1. Provide a private key and certificate (.key and .crt files) on both machines.

  2. Configure any non-server clients to trust the certificate's root signing authority. For more information please see: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi

  3. Configure the server(s) to force all incoming connections to use SSL/TLS so that any clients that do not support this will fail to connect. In SQL Server Configuration Manager, set the ForceEncryption parameter to "Yes" in the Protocols section.

    images/download/attachments/284927657/force-encryption-version-1-modificationdate-1536666035503-api-v2.png


This solution is not bullet-proof. The database links are generally a potential security risk, when the user permissions are not configured properly and e.g. xp_cmdshell with admin rights is accessible on some of the database nodes. For more information please refer to https://blog.netspi.com/how-to-hack-database-links-in-sql-server/.


For more information how to create a certificate please see the chapter System communication hardening