Protecting database connection string

K

Krista Lemieux

Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

I read the article at
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourD
ata/default.aspx
and although it does have some great suggestions, I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I'm
interested in hearing about what other common
techniques are used for the web apps by other people.

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux
 
D

Darren Clark

I use the web.config to store my connection details.
Mind you we encrypt the string and then once the site goes up and the connection string is needed we decrypt it and then store in an application var.

Also as some added securtiy... all dataaccess goes through SP's, this way we create 1 user that has no access to tables and only execute access for SP's and functions. THis way we control what informatin is available even if they do get the details.
 
G

Guest

We are using impersonation, storing encrypted credintals in registry and trusting relationship between Web app and Sql server. In web.config file:

<authentication mode=â€Windowsâ€>
<identity impersonate=â€trueâ€
userName="registry:HKLM\SOFTWARE\SecureApp\identity\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\SecureApp\identity\ASPNET_SETREG,password" />

and

<add key="ConnectionString" value="Data Source=Server; Initial Catalog=DBase; Integrated Security=SSPI; " />

In that way credintals are never exposed and when web application connects to the database, credintals are not passed over the network.
 
M

Mark Rae

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

I use web.config plus encryption. Here's one I did recently:

<add key="SQLConnectionString"
value="/jrER8bDAM/Ce6BWkcjtNVpLTFJBFnNdxnjlEIBskR3OwgbYB5qoT+drQtI67nBtDyc4T
AeOmKm+cNOd4vP5r3v107nr4hzIO2DFdERDVjuuSHd50ThIjKp992gJveP3I+v6D4rQ80=" />
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top