database connection string...

Discussion in 'ASP .Net Security' started by Jim, Nov 6, 2003.

  1. Jim

    Jim Guest

    I want to store a database connection (includes username & password) for my
    asp.net app, currently I have it stored in the web.config file - I know this
    is not ideal but can anyone suggest a better place or way to store it.

    Cheers

    Eath Worm Jim
    Jim, Nov 6, 2003
    #1
    1. Advertising

  2. Jim

    Shawn Guest

    You could create a .dll and store it there. If you use a .dll you can also
    encrypt your username and password. I don't think you can do that if you
    put it in the Web.config file.. This is probably not the ideal way of
    storing a connectionstring either, but it's the best I can come up with.
    Hopefully someone else can show us a better way?

    Shawn


    "Jim" <ssss> wrote in message news:uh$...
    I want to store a database connection (includes username & password) for my
    asp.net app, currently I have it stored in the web.config file - I know this
    is not ideal but can anyone suggest a better place or way to store it.

    Cheers

    Eath Worm Jim
    Shawn, Nov 6, 2003
    #2
    1. Advertising

  3. Why is it not ideal?

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    http://www.takempis.com
    Big Things are made up of
    Lots of Little Things.

    "Jim" <ssss> wrote in message news:uh$...
    > I want to store a database connection (includes username & password) for

    my
    > asp.net app, currently I have it stored in the web.config file - I know

    this
    > is not ideal but can anyone suggest a better place or way to store it.
    >
    > Cheers
    >
    > Eath Worm Jim
    >
    >
    Kevin Spencer, Nov 6, 2003
    #3
  4. Jim

    Steve Jansen Guest

    Steve Jansen, Nov 6, 2003
    #4
  5. Jim

    Rajesh.V Guest

    ..Net has a rich set of Cryptography class. Choose a symmetric algo like
    triple des or md5 to keep encrypted conn string in the web.config and
    decrypt upon usage. Also note if anyboxy decompiled the application dll
    which employs this decryption, can see the password. So u will have to do
    one more level like obfuscation of the dll.

    "Shawn" <> wrote in message
    news:uMS$...
    > You could create a .dll and store it there. If you use a .dll you can

    also
    > encrypt your username and password. I don't think you can do that if you
    > put it in the Web.config file.. This is probably not the ideal way of
    > storing a connectionstring either, but it's the best I can come up with.
    > Hopefully someone else can show us a better way?
    >
    > Shawn
    >
    >
    > "Jim" <ssss> wrote in message

    news:uh$...
    > I want to store a database connection (includes username & password) for

    my
    > asp.net app, currently I have it stored in the web.config file - I know

    this
    > is not ideal but can anyone suggest a better place or way to store it.
    >
    > Cheers
    >
    > Eath Worm Jim
    >
    >
    >
    Rajesh.V, Nov 6, 2003
    #5
  6. Jim

    Jim Guest

    If the web server is hacked and the root directory is exposed then the
    hacker will have username and password to the database.

    Is that not a scenario I should be concerned about?

    Earth Worm Jim


    "Kevin Spencer" <> wrote in message
    news:...
    > Why is it not ideal?
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > .Net Developer
    > http://www.takempis.com
    > Big Things are made up of
    > Lots of Little Things.
    >
    > "Jim" <ssss> wrote in message

    news:uh$...
    > > I want to store a database connection (includes username & password) for

    > my
    > > asp.net app, currently I have it stored in the web.config file - I know

    > this
    > > is not ideal but can anyone suggest a better place or way to store it.
    > >
    > > Cheers
    > >
    > > Eath Worm Jim
    > >
    > >

    >
    >
    Jim, Nov 7, 2003
    #6
  7. > If the web server is hacked and the root directory is exposed then the
    > hacker will have username and password to the database.
    >
    > Is that not a scenario I should be concerned about?


    If you replace "web server" with any other server entity, you will see the
    flaw in your logic. Examples:

    If the database is hacked...
    If the file system is hacked...
    If the registry is hacked...

    If anything containing data is hacked, of course, the data is compromised.
    The trick is to protect your server from hackers.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    http://www.takempis.com
    Big Things are made up of
    Lots of Little Things.

    "Jim" <ssss> wrote in message news:...
    > If the web server is hacked and the root directory is exposed then the
    > hacker will have username and password to the database.
    >
    > Is that not a scenario I should be concerned about?
    >
    > Earth Worm Jim
    >
    >
    > "Kevin Spencer" <> wrote in message
    > news:...
    > > Why is it not ideal?
    > >
    > > --
    > > HTH,
    > >
    > > Kevin Spencer
    > > Microsoft MVP
    > > .Net Developer
    > > http://www.takempis.com
    > > Big Things are made up of
    > > Lots of Little Things.
    > >
    > > "Jim" <ssss> wrote in message

    > news:uh$...
    > > > I want to store a database connection (includes username & password)

    for
    > > my
    > > > asp.net app, currently I have it stored in the web.config file - I

    know
    > > this
    > > > is not ideal but can anyone suggest a better place or way to store it.
    > > >
    > > > Cheers
    > > >
    > > > Eath Worm Jim
    > > >
    > > >

    > >
    > >

    >
    >
    Kevin Spencer, Nov 7, 2003
    #7
  8. Jim

    Jim Guest

    I agree with what you are saying ......

    BUT lets say a serious flaw is found in IIS (my prefered web server) and
    this allows the hack access at the root of the website and they then gain
    the username & password from the web.config, they can destroy\delete data in
    the database,but where as if the connection string is protected by
    encryption or another means and they can't decrypt the string they can not
    gain access to the databse and therefore not destroy\delete data.

    I suppose I am thinking of another level of misdirection for the hacker...

    Cheers

    Earth Worm Jim


    "Kevin Spencer" <> wrote in message
    news:eQ$...
    > > If the web server is hacked and the root directory is exposed then the
    > > hacker will have username and password to the database.
    > >
    > > Is that not a scenario I should be concerned about?

    >
    > If you replace "web server" with any other server entity, you will see the
    > flaw in your logic. Examples:
    >
    > If the database is hacked...
    > If the file system is hacked...
    > If the registry is hacked...
    >
    > If anything containing data is hacked, of course, the data is compromised.
    > The trick is to protect your server from hackers.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > .Net Developer
    > http://www.takempis.com
    > Big Things are made up of
    > Lots of Little Things.
    >
    > "Jim" <ssss> wrote in message

    news:...
    > > If the web server is hacked and the root directory is exposed then the
    > > hacker will have username and password to the database.
    > >
    > > Is that not a scenario I should be concerned about?
    > >
    > > Earth Worm Jim
    > >
    > >
    > > "Kevin Spencer" <> wrote in message
    > > news:...
    > > > Why is it not ideal?
    > > >
    > > > --
    > > > HTH,
    > > >
    > > > Kevin Spencer
    > > > Microsoft MVP
    > > > .Net Developer
    > > > http://www.takempis.com
    > > > Big Things are made up of
    > > > Lots of Little Things.
    > > >
    > > > "Jim" <ssss> wrote in message

    > > news:uh$...
    > > > > I want to store a database connection (includes username & password)

    > for
    > > > my
    > > > > asp.net app, currently I have it stored in the web.config file - I

    > know
    > > > this
    > > > > is not ideal but can anyone suggest a better place or way to store

    it.
    > > > >
    > > > > Cheers
    > > > >
    > > > > Eath Worm Jim
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Jim, Nov 7, 2003
    #8
  9. Jim

    Alek Davis Guest

    Also
    http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
    may give you some ideas.

    Alek

    "Steve Jansen" <> wrote in message
    news:...
    > Jim,
    >
    > The best practice for this is to use DPAPI.
    >
    > Check out
    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp
    >
    > -Steve
    >
    > Jim wrote:
    >
    > > I want to store a database connection (includes username & password) for

    my
    > > asp.net app, currently I have it stored in the web.config file - I know

    this
    > > is not ideal but can anyone suggest a better place or way to store it.
    > >
    > > Cheers
    > >
    > > Eath Worm Jim
    > >
    > >

    >
    Alek Davis, Nov 7, 2003
    #9
  10. Jim

    richlm Guest

    A comprehensive discussion of this topic can be found
    here:

    http://msdn.microsoft.com/library/default.asp?
    url=/library/en-us/dnnetsec/html/SecNetch12.asp


    >-----Original Message-----
    >I want to store a database connection (includes username

    & password) for my
    >asp.net app, currently I have it stored in the

    web.config file - I know this
    >is not ideal but can anyone suggest a better place or

    way to store it.
    >
    >Cheers
    >
    >Eath Worm Jim
    >
    >
    >.
    >
    richlm, Nov 9, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Srinivasa Reddy K Ganji

    database connection string encryption and decryption

    Srinivasa Reddy K Ganji, Jul 18, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    693
    Gary Varga
    Jul 18, 2003
  2. Replies:
    4
    Views:
    13,577
  3. Mythran
    Replies:
    5
    Views:
    4,935
    Mythran
    Oct 5, 2005
  4. Replies:
    3
    Views:
    845
    Samuel R. Neff
    Aug 3, 2007
  5. Wei  Lu
    Replies:
    2
    Views:
    5,859
    Wei Lu
    Feb 16, 2009
Loading...

Share This Page