3

The Entity data Model wizard says :

This connection string appears to contain sensitive data (for example, a password) that is required to connect to the database. Storing sensitive data in the connection string can be a security risk. Do you want to include this sensitive data in the connection string?

I have selected No, and I found the following generated new connection string in my Web.config:

 <add name="eMarket_DBEntities" connectionString="metadata=res://*/App_Code.EFModel.csdl|res://*/App_Code.EFModel.ssdl|res://*/App_Code.EFModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=.\sqlexpress;initial catalog=eMarket_DB;user id=sa;multipleactiveresultsets=True;application name=EntityFramework&quot;" providerName="System.Data.EntityClient;" />

Also in Web.config:

  <entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />

How and where is the best place to pass the password in one time to be default for EF?

Alaa Alweish
  • 8,904
  • 16
  • 57
  • 84

3 Answers3

3

There are two ways to not include password in Web.Config.

  1. Put password in IIS's host settings. IIS keeps one more host config per host, and all settings in this host config is applied before web.config. The only problem is, only administrator can modify it through IIS Management Console.

  2. Password Less connection string will use Application Pool Identity user to Login. You can create a windows user and set it as Application Pool Identity. And give read access to your site content folder as well. And add this User in SQL database and make this user db-owner. This is most safe way to host sites as each Application Pool runs in Isolation & more rights can be given per app. The only problem is, Task manager no longer display site name for worker process.

In Shared Hosting, anyone with access of control panel probably has access to everything, there is little you can do to secure it, but this is how we do it.

  1. We create separate FTP login for developers to upload code.
  2. Administrator sets up the config file and developers do not upload web.config ever. By mistake if they upload, admin will login to some console or ftp and modify web.config
  3. Developers should not be given admin access to shared hosting control panel. Setting up website along with uploading of code and editing web.config must be done by the admin.
  4. Windows Azure web sites does let you modify web.config in admin control panel.
Akash Kava
  • 39,066
  • 20
  • 121
  • 167
  • Thanks for your answer, It will be perfect if you can add a third suggestion for the poor people who have a shared hosting with no permissions to update the host config or the IIS. – Alaa Alweish Aug 03 '13 at 09:18
  • I mean as secure as possible according to the server access limitations. – Alaa Alweish Aug 03 '13 at 09:53
  • @AkashKava, Thanks for updating the answer, you says "developers do not upload web.config ever" that means the password will be stored in the Web.Config, Right? back to the first part of my question, The EF Advised not to store the password in the Web.config. Why? is there any better place inside the application range. – Alaa Alweish Aug 03 '13 at 16:02
  • Nope, there is no way to store password except in web.config, or else the other two ways I have shown you. You could try encrypting web.config. – Akash Kava Aug 03 '13 at 18:16
  • There are a lot of practical reasons why a developer should be able to modify a Web.config. Shouldn't this rule be more granular, and simply specify that a Web.config transformation be made on Release to remove any development configuration strings from the Web.config? – crush Apr 14 '14 at 18:44
1

While initializing the entity, I pass the connection string which is constructed using the same format in Web.config file:

String EntityConnectionString = String.Format("metadata=res://*/App_Code.EFModel.csdl|res://*/App_Code.EFModel.ssdl|res://*/App_Code.EFModel.msl;provider=System.Data.SqlClient;provider connection string='data source={0};initial catalog={1};persist security info=True;user id={2};password={3};multipleactiveresultsets=True;App=EntityFramework;Enlist=false'", ServerName, DatabaseName, DatabaseUserName, DatabasePassword);

    EntityContainer EntityDB = new EntityContainer(EntityConnectionString);
Adel Khayata
  • 2,717
  • 10
  • 28
  • 46
  • Thanks for your answer, Are you doing this every time you initialize the entity?, I am looking for a default secure place to pass the password. – Alaa Alweish Aug 03 '13 at 05:56
  • Yes, actually: I have made the EntityConnectionString as a property so if I need to initialize the entity in multiple places in my app, I just call the second line. – Adel Khayata Aug 03 '13 at 06:01
  • Where does DatabasePassword come from? Is it hard-coded? I'm asking because that's no more secure. String literals can easily be decompiled. – Dennis Traub Aug 03 '13 at 06:03
  • And where did you write the first line? – Alaa Alweish Aug 03 '13 at 06:04
  • @Ala, I have one general class where I store my my general properties to be accessed through my app. – Adel Khayata Aug 03 '13 at 06:10
  • @AdelKhayata, What is the definition of your `EntityContainaer`, in my case it's a partial class Inherits DbContext, this class have no such constructor. – Alaa Alweish Aug 03 '13 at 06:24
  • This class is inhereted from ObjectContext – Adel Khayata Aug 03 '13 at 07:16
  • @AdelKhayata, it seem you're using EF older than v4.1, as i know ObjectContext has been replaced with DbContext, which not having the legacy constructor to pass the connection string, i believe there is a better way to pass it in EF5 and EF6. – Alaa Alweish Aug 03 '13 at 09:33
  • Not only is it bad to hardcode the password, but it also makes it difficult to swap between a development and production database. – crush Apr 14 '14 at 18:45
  • @crush Nowhere in this example does he suggest to hard-code the password. `DatabasePassword` is a variable, not a string. It could have been populated from literally anywhere, including an encrypted password store. – Dan Bechard May 04 '16 at 15:03
1

Rather than injecting the password into the connection string in web.config, you can use the full connection string with the password but encrypt it, as discussed in this question.

Community
  • 1
  • 1
Paul Keister
  • 12,851
  • 5
  • 46
  • 75