Secure connection to database

[Fariba]

Hello All,

I have an asp.net application hosting in IIS 6.0 which talks to a database
in another DMZ (with firwall installed in between). I know that I can enrypt
and decrypt my connection string into web server's registry instead of plain
text in web.config ,but I was just thinking that once the app want to talk
to database ,does it send the connection string in plain text agian OR I
have to take extra steps to secure that too? Could you please guide me to a
good article explaining this?

Thanks a lot

 

[Bruce Barker]

depends on the database and what is in the connection string. some databases
(say sqlserver) can be configured to connect over ssl, or can't. also is the
username/password in the connect string?

also when you open the firewall for IIS to talk to the database, you might
only allow point to point, and pick a custom port.

-- bruce (sqlwork.com)

 

[Fariba]

Hi Bruce,

Database is sql server .Username and password is in connection string.
Could you please elaborate more on this:

also when you open the firewall for IIS to talk to the database, you might
only allow point to point, and pick a custom port.

Thanks a lot for your nice reply.

 

[Joerg Jooss]

Thus wrote Fariba,

Hello All,

I have an asp.net application hosting in IIS 6.0 which talks to a
database in another DMZ (with firwall installed in between). I know
that I can enrypt and decrypt my connection string into web server's
registry instead of plain text in web.config ,but I was just thinking
that once the app want to talk to database ,does it send the
connection string in plain text agian OR I have to take extra steps to
secure that too? Could you please guide me to a good article
explaining this?

See http://msdn.microsoft.com/practices...l=/library/en-us/dnnetsec/html/SecNetch12.asp

Cheers,