How to protect ADO.NET connection string under WindowsForms?

[Guest]

Hello

I build WindowsForm application, that use MS Access database. I wish to
protect AccessDB password that I use in connection string. Application will
be used by final users and customers.

I understand that .NET framework application is easy to decompile and trace
it's variables. So how to hide or protect connection string from easy
disrupt, and reading DB password.

Thanks
MilanB

 

[Cerebrus]

Hi MilanB,

If you were using SQL Server, I would suggest that you check out this
article by Microsoft : (You might still find something useful at the site)

http://www.governmentsecurity.org/articles/MicrosoftDatabaseSecurity.php

If you were using ASP.NET, I would suggest that you use an encrypted string
in the Web.Config file. But as for Windows Forms... ?

.... I'm not sure how to implement such security with MS Access.

P.S : I think this is a very pertinent question, so if you don't mind, my
reply is also posted to the "microsoft.public.dotnet.security " newsgroup to
get the views of the experts who watch that group.

Regards,

Cerebrus.

 

[Guest]

Thanks Cerebrus

 

[Dinis Cruz]

Ultimately be aware that there is no way you can securely protect those
connection strings from a semi-skilled attacker which has access to
client application.

Ultimately that string will need to be decrypted and passed to whatever
Access database driver you are using.

Even if you obfuscate your .Net code, I could easily grab those
credentials by hooking (in C++ / Assembly) the relevant methods.

Dinis Cruz
Owasp .Net Project
www.owasp.net