Hello folks - 
Is there anyway keep the connection string to the sql database in the
web.config secure?
 
 
Thanks in advance!
 

Jeff Fountain
Web/SQL Administrator
Downs Rachlin Martin PLLC
199 Main Street, P.O. Box 190
Burlington, VT 05402-0190 

(802) 846 - 8304
(802) 777 - 3612
< http://www.drm.com <http://www.drm.com/> > 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Jeff Fountain" <jfountain@d...>
Subject: [aspx] Connection string security


: Hello folks -
: Is there anyway keep the connection string to the sql database in the
: web.config secure?
:
:
: Thanks in advance!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Define "secure". Secure against "what"?

I assume you mean "secure" against someone opening the file in Notepad, and
hence getting your password. In such a case you could use SQL Server
Integrated Security rather than SQL Server security. Here the Windows
context is used to login to the SQL Server database rather than using an SQL
Server login.

However, anyone who can gain physical access to your web.config file would
also, presumably, have access to your website, so they could just create
more ASP.Net pages that connect to your database using your connection
string and gain access to your data...

Best practice would call for:
a) Integrated Security (so, no passwords left lying around in web.config)
b) Use Stored Procedures for doing all your database work
c) Give Execute permissions to the sprocs to the Public role (or the Windows
account specifically)
d) Don't give the Windows account any other permissions (ie no Datawriter,
Datareader)

This limits what the user can do in the database to what they can do anyway
via the website

Cheers
Ken