Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best Practice for Connecting ASP.NET to SQL Server

We have an ASP.NET 4.0 Web application that connects to a SQL Server on a separate machine across a LAN. I use a ConnectionString (with SQL Server authentication) stored in my Web.config to do this. Basically, it's a fairly traditional Web-Server-to-SQL strategy.

However, one of our clients is arguing that this strategy is not secure. This client says that we should only connect to the SQL Server through a separate Web Services layer.

I really don't want to rewrite this app just to satisfy this client. What should I tell him? Does any one know how I might best refute this?

Thanks in advance...

like image 969
Ash8087 Avatar asked Apr 26 '12 18:04

Ash8087


People also ask

Can ASP.NET connect to SQL Server?

ASP.Net can work with databases such as Oracle and Microsoft SQL Server. ASP.Net has all the commands which are required to work with databases. This involves establishing a connection to the database.

Which package is required to connect ASP.NET with SQL?

Connect SQL Server to Your ASP.NET Core 2.2 MVC Application. Before anything else, you'll need the Entity Framework Core NuGet package. To install it, run the following command in the terminal. Start by adding the connection string to your appsettings.

Does Visual Studio connect to SQL Server?

Visual Studio Code is a graphical code editor for Linux, macOS, and Windows. It supports extensions, including the mssql extension for querying a SQL Server instance, Azure SQL Database, an Azure SQL Managed Instance, and a database in Azure Synapse Analytics.


Video Answer


1 Answers

Security is always a trade-off. What is the client really afraid of?

Having database credential "in the clear"? I have seen auditors point this out as a potential vulnerability, but really, if someone has compromised your web server they can run arbitrary code against the database, so encrypting database credentials doesn't really buy you much.

Your web app should be using a minimal-rights user to connect to the database, so compromising the web server should only give you the rights to read & update data. How would that change if everything went through a web services layer? Again, there is a very real cost - in complexity, and in performance - by going to a web services layer. Only the client can answer whether or not that cost is worth it.

like image 115
chris Avatar answered Sep 23 '22 05:09

chris