Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can a database username and password be stored securely in a web.config file when using Entity Framework

Tags:

c#

password-protection

entity-framework

database-connection

When using Entity Framework to access a database on a non-local server how should I be specifying the username and password parameters in the connection string (which is stored in the web.config file)?

I've read in a C# step by step guide(2010 edition by John Sharp) to never hard code them into your application due to potential reverse engineering or if someone gets hold of the source code. So I would like to know the conventional best practice for doing so.

like image 459
BenM Avatar asked Sep 17 '13 12:09

BenM

4 Answers

Hard coding the user and password is bad for 3 reasons:

  • it gives you a false impression of security, because when you look at a binary file with a text editor you don't understand anything but in fact it's a piece of cake to disassemble a .NET assembly
  • it forces all software developers to be allowed to know the user and password
  • it implies that a change of the user/password pair requires a new deploy which also include the recompiling of the application

There is no magic solution to this problem and security in this case is only as good as the discipline and good will of the people in charge with the security.

In my company, it goes something like this:

  • software developers don't have access to the production database, and most certainly they don't know the user and password
  • software administrators have the username and password and they merge the web.config comming from the development department with their own secrets when deploying the application on the production machines
  • no other person has access to the production machines appart from the software administrators

Encrypting the user and password in the web.config can only help you so much. Eventually you'll have to hard code the encryption key, in clear form, in your application and that takes us back to the disassembling problem.

In my opinion, a very good solution would be a combination of what's going on in my company and encryption with a clear key and obfuscation.

The general idea is:

  • take what I said about the application administrator guys
  • modify one minor detail: they don't know the clear username and password, they know an encrypted form
  • only the dev guys have the key to decrypt the encrypted username and password and they use that at runtime
  • the dev guys should obfuscate their assemblies so that it's not worth it for anyone to try to reverse engineer the binaries, find out the clear key, somehow ask the application administrators what the encrypted username and password is (while drinking bear in a work outing) and then put everything together

That means that someone (maybe the owner of the company or some other head) needs to use a "greasemonkey" app to encrypt usernames and passwords and give the resulting encryptions to the application administrators.

Don't forget there's also the db administrators which initially gave the owner an initial pair of credentials. The owner needs to change the password and then do everything I laid out.

In conclusion, there are many solutions, some wackier than others. It's not all in the tools and code but also in the discipline.

like image 57
Eduard Dumitru Avatar answered Sep 25 '22 21:09

Eduard Dumitru

You can encrypt sections of your web.config. See this walkthrough on MSDN: http://msdn.microsoft.com/library/dtkwfdky.aspx It's pretty simple to follow.

like image 21
Eli Gassert Avatar answered Sep 22 '22 21:09

Eli Gassert

You can encrypt a particular section of a web.config file easily using the method shown in this document: Encrypting and Decrypting Configuration Sections

It is transparent for your application code and the encrypted section is useless outside the machine it was encrypted on.

like image 25
Bredstik Avatar answered Sep 24 '22 21:09

Bredstik

You can try with following code,

ConnectionStringsSection oSection = Configuration.ServiceConfiguration.GetConnectionStrings();
    if(!oSection.SectionInformation.IsLocked && !oSection.SectionInformation.IsProtected)
    {
        oSection.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider"); 
        oSection.CurrentConfiguration.Save();
    }

EDIT:

you can get more information on Protected configuration from MSDN Link, http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx

like image 43
Rajesh Subramanian Avatar answered Sep 24 '22 21:09

Rajesh Subramanian
Sign in to Comment

Related questions

How do you exclude a value of an Array?
Encapsulation C# newbie
Body from Func<T>
How to change Windows 7 Aero / Window border color programatically?
WPF MouseButtonEventArgs Timestamp value is negative?
Using a .lib file in a C# program
Debugging a Managed Component from C++ Win32
OnPropertyChange does not exist in the current context?
Getting a specific client from WebSocketCollection
Quickest way to check if WCF service is running
How to get the methodname from a known method?
What is the convention for passing in a list to a constructor and then storing it?
How does c# System.Type Type have a name property
Is IEnumerable<T>.Last() optimized for List<T>?
How do I get the custom attribute value of a field? [duplicate]
HttpClient hangs when timeout is setting (Windows Phone)
Task.WaitAll, how to find the tasks causing AggregateException
why i can't save the current DateTime.Now using Entity Framework
Get Outlook email address through c#
join multiple IEnumerable<> using Linq

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!