0

I have a .NET application which is hosted on a web server and an MSSQL db hosted on a different server.

As part of the security checklist, I am not supposed to mention the db credentials (connection string) in my web.config file. (not in any of the files)

How do I connect to the database without having the details mentioned in my web.config.

Any help would be highly appreciated.

thanks

  • Can you move to Azure? You could put the connection string in the role configuration. This is not then stored on a file on the server. Similar things are possible on AWS. – Mike Goodwin Oct 18 '13 at 13:54
  • keep the conenction string hash the values, that´s your best bet – pedrommuller Oct 18 '13 at 17:54

3 Answers3

1

You have a couple of options.

  1. You can use service based accounts between SQL server and your IIS application pool. That will allow Windows to handle all of the authentication without needing passwords. Stack Overflow question on this
  2. Encrypt the web.config
  3. Put the connection string in the code. Then when you create a SqlConnection or any other type of database connection use the overload to pass in a connection string. But this really isn't much better than the web.config since you can decompile the assembly and see the connection string.
Community
  • 1
  • 1
Steven V
  • 16,357
  • 3
  • 63
  • 76
  • Encrypting the web.config gives a false sence of security. Given access to the machine it can be decrypted using the following command: aspnet_regiis -pd "connectionStrings" -app "/SampleApplication" – Shiraz Bhaiji Oct 18 '13 at 13:35
  • @ShirazBhaiji Completely agreed there. Encrypting the web.config is a way to protect the file in the event someone were to gain access to the file, but did not have physical access to the server or the keypair used to encrypt the file. That's true with any encryption. – Steven V Oct 18 '13 at 13:37
  • 1
    @ShirazBhaiji, if a user had file access to the server, they could get more than just the webconfig data, like the dlls and use reflection to get your source code. – gunr2171 Oct 18 '13 at 13:39
  • 1
    @gunr2171, agree with you, therefore use trusted connection – Shiraz Bhaiji Oct 18 '13 at 13:44
1

You could store the connection string:

  • Hard coded in your code
  • In a registry key

You should have a connection string that does not contain a user name and password, but rather use trusted connection, which uses the identity of the application pool.

Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
  • Hard coded in your code is still in a file on the server. Potentially it's less obvious than the web config, but it's still there for anyone to see if they decompile your assemblies. – Mike Goodwin Oct 18 '13 at 13:52
0

You could try using a declarative connection string

http://asphive.wordpress.com/2013/01/28/connection-strings-without-web-config/

Can't you encrypt the db credentials in the web config?

bombus1700
  • 98
  • 1
  • 8