Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best Practice for Connecting ASP.NET to SQL Server

Tags:

c#

.net

security

sql-server

asp.net

We have an ASP.NET 4.0 Web application that connects to a SQL Server on a separate machine across a LAN. I use a ConnectionString (with SQL Server authentication) stored in my Web.config to do this. Basically, it's a fairly traditional Web-Server-to-SQL strategy.

However, one of our clients is arguing that this strategy is not secure. This client says that we should only connect to the SQL Server through a separate Web Services layer.

I really don't want to rewrite this app just to satisfy this client. What should I tell him? Does any one know how I might best refute this?

Thanks in advance...

like image 969
Ash8087 Avatar asked Apr 26 '12 18:04

Ash8087

People also ask

Can ASP.NET connect to SQL Server?

ASP.Net can work with databases such as Oracle and Microsoft SQL Server. ASP.Net has all the commands which are required to work with databases. This involves establishing a connection to the database.

Which package is required to connect ASP.NET with SQL?

Connect SQL Server to Your ASP.NET Core 2.2 MVC Application. Before anything else, you'll need the Entity Framework Core NuGet package. To install it, run the following command in the terminal. Start by adding the connection string to your appsettings.

Does Visual Studio connect to SQL Server?

Visual Studio Code is a graphical code editor for Linux, macOS, and Windows. It supports extensions, including the mssql extension for querying a SQL Server instance, Azure SQL Database, an Azure SQL Managed Instance, and a database in Azure Synapse Analytics.

Video Answer

1 Answers

Security is always a trade-off. What is the client really afraid of?

Having database credential "in the clear"? I have seen auditors point this out as a potential vulnerability, but really, if someone has compromised your web server they can run arbitrary code against the database, so encrypting database credentials doesn't really buy you much.

Your web app should be using a minimal-rights user to connect to the database, so compromising the web server should only give you the rights to read & update data. How would that change if everything went through a web services layer? Again, there is a very real cost - in complexity, and in performance - by going to a web services layer. Only the client can answer whether or not that cost is worth it.

like image 115
chris Avatar answered Sep 23 '22 05:09

chris
Sign in to Comment

Related questions

Show another form adjacent to the one its spawned from C#
How to read a Stream and reset its position to zero even if stream.CanSeek == false
Difference between OfType<>() and checking type in Where() extension
How to cancel GetConsumingEnumerable() on BlockingCollection
Should data classes be reused across layers and applications or mapped into layer specific classes?
Why does the returned DataTable has readonly columns in FileHelpers
Configure WPF client to run 64bit
How to determine if a key is a letter or number?
Event for Select All: WPF Datagrid
What is the right way of getting my WinForms application's name?
How can you update a Linq Expression with additional parameters?
How do we call a virtual method from another method in the base class even when the current instance is of a derived-class?
IQueryable<a> to ObservableCollection<a> where a = anonymous type
TextBox maximum amount of characters (it's not MaxLength)
Why is ToArray() used when using string.Join with a List<string>?
Cast base instance to derived class (downcast) in C#
WPF - Group Styles: Can we only bind to the "Name" property?
Conditional Formatting in Excel with C#
How to register a new List<IChecker> to Autofac ContainerBuilder
Is there a better way to return the next item in a list and loop from the end to the front?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!