0

I've read so much about encrypting web.config file, encrypting only the db string or having a completely separate file for the db connection string.

I also know that there is enough material on the net, but i couldn't find an exact answer.

Is there a need to secure the web.config somehow of my asp.net mvc app when db and site are hosted on the same server?

If so, what is best practice? Since this is about security I do worry a bit.

SunnySonic
  • 1,318
  • 11
  • 37

1 Answers1

1

I would answer on basis what's going in my organization. It is not recommended anymore to store the db connection strings in config of appsettings.json file. Our auditors are constantly browsing through the repos to check if someone does that.

As a best practice, we put the connection string in azure keyvault. It takes care of encrypting while storing and decrypting while fetching. If you don't want to use third party solutions, you can still be fine if you take care of a few things -

  • Encrypt the password or whole connection string and keep the key only in code (not in config)
  • If your database is on same server, then you can totally disable sql server authentication and use only windows authentication. This will make it harder for someone from outside to crack.
  • One step further from step 2, try to disable TCP/IP from SSCM and use named pipes only. Then it's not possible for anyone to connect to your db from outside your machine.

There are many more things that can go wrong if you have not properly configured security in your application. If your service account is compromised, even third point can't save your db. I would suggest continue reading on this and treat this as a never ending list.

It's a trap
  • 1,333
  • 17
  • 39