Protecting database connection strings

[Krista Lemieux]

Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux

 

[Lucas Tam]

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx

 

[Krista Lemieux]

Hello,

I read the mentioned article prior to posting my first
message. It does have some great suggestions, but I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I was
interested also in hearing about what other common
techniques are used for the web apps by other people.
Though I'd like to thank you for your reply.

Merci,
Krista Lemieux

 

[Lucas Tam]

Though I'd like to thank you for your reply.

You can use Base64 to prevent causal snooping. Or if you're more paranoid,
just apply encryption on the connection string using the built in
encryption classes.

You may also want to obfuscate your code to prevent decompilation.

 

[Angel Saenz-Badillos[MS]]

This is a very well written article, but I disagree with what it is trying
to do. I completely agree with his conclusion: "None of the existing
software technologies can guarantee absolute security." but disagree with
"pick the /../ "least worst" option". IMO A somewhat secure application is
like a somewhat pregnant girl, you are either secure or you are not.

For Winforms applications you should consider using Integrated Security and
rely on setting user permissions on the database. Yes, this does grant the
user the same database access privileges as the tool he is using. If for any
reason this is not an acceptable solution (if the application needs greater
database access than you want to grant the user) you should consider
changing to a web service model where the user cannot see the database at
all.

--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/

 

[Peter Morris [Droopy eyes software]]

A somewhat secure application is

like a somewhat pregnant girl, you are either secure or you are not.

I don't know. I have seen some girls who are a *lot* more pregnant than
others

 

[William \(Bill\) Vaughn]

I also think this article is well written, but I think it misses an
important point (or I overlooked it). When your car key is stolen, the thief
can only get into your car--not your house unless you keep all of your keys
together. When you setup an application that accesses a database, the
credentials used should not grant blanket access to the database. That's
like giving a hotel guest the master key when they check in. If the
credentials are focused on a specific set of stored procedures or views, the
"thief" can only use those interfaces to access the data. Yes, that might be
enough to get what they want, but the potential for damage is far less than
if you use SA as the account (as all of the examples seem to use).

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

This is a very well written article, but I disagree with what it is trying
to do. I completely agree with his conclusion: "None of the existing
software technologies can guarantee absolute security." but disagree with
"pick the /../ "least worst" option". IMO A somewhat secure application is
like a somewhat pregnant girl, you are either secure or you are not.

For Winforms applications you should consider using Integrated Security and
rely on setting user permissions on the database. Yes, this does grant the
user the same database access privileges as the tool he is using. If for any
reason this is not an acceptable solution (if the application needs greater
database access than you want to grant the user) you should consider
changing to a web service model where the user cannot see the database at
all.

--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/




http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx

 

[Angel Saenz-Badillos[MS]]

A horrible simile and I apologize for it, I can't remember where I got the
reference. It could have been a Heinlein book, he is kind of crass that way.



I truly believe that "raising the bar" is not nearly enough when you are
thinking about database applications. If you trust your user then you can
set database access for him and allow him to see the database, Integrated
Security works great in this scenario. If you don't trust your user then
letting him see the database _at all_ is an open invitation to get hacked.


--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/

 

[William \(Bill\) Vaughn]

Yes, but consider that most hacking is done from INSIDE companies.


--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

A horrible simile and I apologize for it, I can't remember where I got the
reference. It could have been a Heinlein book, he is kind of crass that way.



I truly believe that "raising the bar" is not nearly enough when you are
thinking about database applications. If you trust your user then you can
set database access for him and allow him to see the database, Integrated
Security works great in this scenario. If you don't trust your user then
letting him see the database _at all_ is an open invitation to get hacked.


--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/

I don't know. I have seen some girls who are a *lot* more pregnant than
others

 

[Angel Saenz-Badillos[MS]]

ouch!

--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/

Yes, but consider that most hacking is done from INSIDE companies.


--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

A horrible simile and I apologize for it, I can't remember where I got the
reference. It could have been a Heinlein book, he is kind of crass that way.



I truly believe that "raising the bar" is not nearly enough when you are
thinking about database applications. If you trust your user then you can
set database access for him and allow him to see the database, Integrated
Security works great in this scenario. If you don't trust your user then
letting him see the database _at all_ is an open invitation to get hacked.


--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/





"Peter Morris [Droopy eyes software]"

wrote in message news:[email protected]...

 

[Cor Ligthert]

Hi Bill,

Yes, but consider that most hacking is done from INSIDE companies.

That was I writting as well as answer on Angels message. (A very good
example by the way)

You know that we have in Holland another way of thinking about some things,
than in a lot of other places in the world.

Therefore every time I stuffed it afraid that it could be readed as not
intended.



Cor