Finds uses of insecure SQL Connections string by not enabling the Encrypt option.

SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.

Ensure that the client code enforces the Encrypt option by setting it to true in the connection string.

The following example shows a SQL connection string that is not explicitly enabling the Encrypt setting to force encryption.

The following example shows a SQL connection string that is explicitly enabling the Encrypt setting to force encryption in transit.

Selectively using secure connection to SQL Server

Net SqlClient (ADO .Net)

SQL native driver (SNAC)

JDBC driver