ConnectionStrings in ASP.NET 2.0?

[sstrangee]

The connection strings now have a ConnectionStrings section in the
web.config.

However, the main flaw of this method is that if you put the password
in the connection string that it can be read by any text editor that
might have access to the root directory.

Is there a method in place now that these strings can be encrypted or
still accessible from the web.config but hidden and be used from
ASP.NET application?

 

[Edwin Knoppert]

And who's gonna have access to that folder?

 

[sstrangee]

That's exactly my point... to keep passwords out of the hands of people
that might find some way of getting access to that folder.

 

[Joshua Flanagan]

Yes, there are methods in place to encrypt sections of the web.config
file, including <connectionStrings>.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp

OR

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp

Both use the aspnet_regiis.exe command-line utility included with the
..NET Framework Runtime.

Joshua Flanagan
http://flimflan.com/blog

 

[Edwin Knoppert]

Question again:
If the app is on a webserver, WHO has access to the server (through NETBIOS
i mean)
A common mistake is that HTTP users can read the connectionstring somehow.
That's impossible unless ASP.NET support drops(crashes) for some reason.

 

[Kevin Spencer]

If the app is on a webserver, WHO has access to the server (through

NETBIOS i mean)

Do you mean over the LAN or on the same Domain? That would be determined by
local file system and domain permissions. Anyone on the same Domain or LAN
who has local file system or domain permission to access the file would be
able to read it.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but it takes a very long time,
and the bicycle has to *want* to change.

 

[sstrangee]

You're right.

But, even if someone does have domain rights to the web.config doesn't
mean that should have the connection string information -- thus, it
being encrypted for that reason.

 

[Mark Rae]

Yes, there are methods in place to encrypt sections of the web.config
file, including <connectionStrings>.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp

OR

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp

Both use the aspnet_regiis.exe command-line utility included with the .NET
Framework Runtime.

Yes indeed, but both methods assume that you have read access to the web
server's local registry - if this is a public website hosted with a public
ISP, you'd very lucky to have this....

Also, both methods assume that you have *WRITE* access to the web server's
local registry to create the encrypted registry key(s) in the first place -
in the above scenario, I'd be totally amazed if you have this.

 

[Guest]

Thinking about this, if someone who is hostile (read, would use the
connection string maliciously) has rights to the directory the web.config is
in and can actually open up that file in a text editor, you have bigger
security problems at hand to worry about than whether or not they can get a
connection string. This would immediately indicate your security is in the
basement and you need to hire new sysadmins. These hostile parties would
pretty much own your site.

This rates with the older question "Is it safe to put a connection string in
the global.asa under ASP Classic?" If someone can actually get into the
directory structure to get that connection string out, they probably already
own my machine, they are in as an admin, and they can get into my database
(whether its on a remote machine or local).

Strict security practices and ensuring they are adhered to religiously is
your best protection.

Of course, I could be wrong, but that's just my two cents worth.

DJ