database connection string...

[Jim]

I want to store a database connection (includes username & password) for my
asp.net app, currently I have it stored in the web.config file - I know this
is not ideal but can anyone suggest a better place or way to store it.

Cheers

Eath Worm Jim

[Shawn]

You could create a .dll and store it there. If you use a .dll you can also
encrypt your username and password. I don't think you can do that if you
put it in the Web.config file.. This is probably not the ideal way of
storing a connectionstring either, but it's the best I can come up with.
Hopefully someone else can show us a better way?

Shawn


"Jim" <ssss> wrote in message news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...
I want to store a database connection (includes username & password) for my
asp.net app, currently I have it stored in the web.config file - I know this
is not ideal but can anyone suggest a better place or way to store it.

Cheers

Eath Worm Jim

[Kevin Spencer]

Why is it not ideal?

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
[url]http://www.takempis.com[/url]
Big Things are made up of
Lots of Little Things.

"Jim" <ssss> wrote in message news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...

> I want to store a database connection (includes username & password) for

my

> asp.net app, currently I have it stored in the web.config file - I know

this

> is not ideal but can anyone suggest a better place or way to store it.
>
> Cheers
>
> Eath Worm Jim
>
>

[Steve Jansen]

Jim,

The best practice for this is to use DPAPI.

Check out
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]

-Steve

Jim wrote:

> I want to store a database connection (includes username & password) for my
> asp.net app, currently I have it stored in the web.config file - I know this
> is not ideal but can anyone suggest a better place or way to store it.
>
> Cheers
>
> Eath Worm Jim
>
>

[Rajesh.V]

..Net has a rich set of Cryptography class. Choose a symmetric algo like
triple des or md5 to keep encrypted conn string in the web.config and
decrypt upon usage. Also note if anyboxy decompiled the application dll
which employs this decryption, can see the password. So u will have to do
one more level like obfuscation of the dll.

"Shawn" <bossman100@hotmail.com> wrote in message
news:uMS$NvEpDHA.2416@TK2MSFTNGP10.phx.gbl...

> You could create a .dll and store it there. If you use a .dll you can

also

> encrypt your username and password. I don't think you can do that if you
> put it in the Web.config file.. This is probably not the ideal way of
> storing a connectionstring either, but it's the best I can come up with.
> Hopefully someone else can show us a better way?
>
> Shawn
>
>
> "Jim" <ssss> wrote in message

news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...

> I want to store a database connection (includes username & password) for

my

> asp.net app, currently I have it stored in the web.config file - I know

this

> is not ideal but can anyone suggest a better place or way to store it.
>
> Cheers
>
> Eath Worm Jim
>
>
>

[Jim]

If the web server is hacked and the root directory is exposed then the
hacker will have username and password to the database.

Is that not a scenario I should be concerned about?

Earth Worm Jim


"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:eYcYNaHpDHA.1672@TK2MSFTNGP09.phx.gbl...

> Why is it not ideal?
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> [url]http://www.takempis.com[/url]
> Big Things are made up of
> Lots of Little Things.
>
> "Jim" <ssss> wrote in message

news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...

> > I want to store a database connection (includes username & password) for

> my

> > asp.net app, currently I have it stored in the web.config file - I know

> this

> > is not ideal but can anyone suggest a better place or way to store it.
> >
> > Cheers
> >
> > Eath Worm Jim
> >
> >

>
>

[Kevin Spencer]

> If the web server is hacked and the root directory is exposed then the

> hacker will have username and password to the database.
>
> Is that not a scenario I should be concerned about?

If you replace "web server" with any other server entity, you will see the
flaw in your logic. Examples:

If the database is hacked...
If the file system is hacked...
If the registry is hacked...

If anything containing data is hacked, of course, the data is compromised.
The trick is to protect your server from hackers.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
[url]http://www.takempis.com[/url]
Big Things are made up of
Lots of Little Things.

"Jim" <ssss> wrote in message news:uGfkaxRpDHA.1408@TK2MSFTNGP11.phx.gbl...

> If the web server is hacked and the root directory is exposed then the
> hacker will have username and password to the database.
>
> Is that not a scenario I should be concerned about?
>
> Earth Worm Jim
>
>
> "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
> news:eYcYNaHpDHA.1672@TK2MSFTNGP09.phx.gbl...

> > Why is it not ideal?
> >
> > --
> > HTH,
> >
> > Kevin Spencer
> > Microsoft MVP
> > .Net Developer
> > [url]http://www.takempis.com[/url]
> > Big Things are made up of
> > Lots of Little Things.
> >
> > "Jim" <ssss> wrote in message

> news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...

> > > I want to store a database connection (includes username & password)

for

> > my

> > > asp.net app, currently I have it stored in the web.config file - I

know

> > this

> > > is not ideal but can anyone suggest a better place or way to store it.
> > >
> > > Cheers
> > >
> > > Eath Worm Jim
> > >
> > >

> >
> >

>
>

[Jim]

I agree with what you are saying ......

BUT lets say a serious flaw is found in IIS (my prefered web server) and
this allows the hack access at the root of the website and they then gain
the username & password from the web.config, they can destroy\delete data in
the database,but where as if the connection string is protected by
encryption or another means and they can't decrypt the string they can not
gain access to the databse and therefore not destroy\delete data.

I suppose I am thinking of another level of misdirection for the hacker...

Cheers

Earth Worm Jim


"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:eQ$nfrSpDHA.2808@TK2MSFTNGP10.phx.gbl...

> > If the web server is hacked and the root directory is exposed then the
> > hacker will have username and password to the database.
> >
> > Is that not a scenario I should be concerned about?

>
> If you replace "web server" with any other server entity, you will see the
> flaw in your logic. Examples:
>
> If the database is hacked...
> If the file system is hacked...
> If the registry is hacked...
>
> If anything containing data is hacked, of course, the data is compromised.
> The trick is to protect your server from hackers.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> [url]http://www.takempis.com[/url]
> Big Things are made up of
> Lots of Little Things.
>
> "Jim" <ssss> wrote in message

news:uGfkaxRpDHA.1408@TK2MSFTNGP11.phx.gbl...

> > If the web server is hacked and the root directory is exposed then the
> > hacker will have username and password to the database.
> >
> > Is that not a scenario I should be concerned about?
> >
> > Earth Worm Jim
> >
> >
> > "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
> > news:eYcYNaHpDHA.1672@TK2MSFTNGP09.phx.gbl...

> > > Why is it not ideal?
> > >
> > > --
> > > HTH,
> > >
> > > Kevin Spencer
> > > Microsoft MVP
> > > .Net Developer
> > > [url]http://www.takempis.com[/url]
> > > Big Things are made up of
> > > Lots of Little Things.
> > >
> > > "Jim" <ssss> wrote in message

> > news:uh$yFkEpDHA.1708@TK2MSFTNGP12.phx.gbl...

> > > > I want to store a database connection (includes username & password)

> for

> > > my
> > > > asp.net app, currently I have it stored in the web.config file - I

> know

> > > this
> > > > is not ideal but can anyone suggest a better place or way to store

it.

> > > >
> > > > Cheers
> > > >
> > > > Eath Worm Jim
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[Alek Davis]

Also
[url]http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx[/url]
may give you some ideas.

Alek

"Steve Jansen" <stj3571-nntp@y.a.h.o.o> wrote in message
news:OYbeH2JpDHA.1084@tk2msftngp13.phx.gbl...

> Jim,
>
> The best practice for this is to use DPAPI.
>
> Check out
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]

>
> -Steve
>
> Jim wrote:
>

> > I want to store a database connection (includes username & password) for

my

> > asp.net app, currently I have it stored in the web.config file - I know

this

> > is not ideal but can anyone suggest a better place or way to store it.
> >
> > Cheers
> >
> > Eath Worm Jim
> >
> >

>

[richlm]

A comprehensive discussion of this topic can be found
here:

[url]http://msdn.microsoft.com/library/default.asp?[/url]
url=/library/en-us/dnnetsec/html/SecNetch12.asp

>-----Original Message-----
>I want to store a database connection (includes username

& password) for my

>asp.net app, currently I have it stored in the

web.config file - I know this

>is not ideal but can anyone suggest a better place or

way to store it.

>
>Cheers
>
>Eath Worm Jim
>
>
>.
>