Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Persist Security Info in .Net 4

You use Microsoft Visual Studio 2010 and Microsoft .NET Framework 4 to create an application.The application connects to a Microsoft SQL Server 2008 database. The application uses a Microsoft ADO.NET SQL Server managed provider.When a connection fails, the application logs connection information, including the full connection string.The information is stored as plain text in a .config file.

You need to ensure that the database credentials are secure.

Which connection string should you add to the .config file?

A.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=false;

B.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=true;

C.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=false;

D.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=true;

According to the guide, the answer is 'A'. But in my opinion, the Answer is 'C'. If we are using Integrated Security = SSPI, we don't need to supply UserID and Password. So, Persist Security Info=false has no effect.

As far as I know, Persist Security Info only takes effect if the connection string has User Credentials.

Could you please advise me which one is correct? Thanks.

like image 361
TTCG Avatar asked Nov 09 '12 10:11

TTCG


People also ask

What does persist security info do?

Setting Persist Security Info to true or yes allows security-sensitive information, including the user ID and password, to be obtained from a connection after it has been opened.

How do you secure your connection string information in asp net?

The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.

Where should you store the connection string information?

Connection strings can be stored as key/value pairs in the connectionStrings section of the configuration element of an application configuration file.

What is Trusted_connection true?

NO - trusted_connection=true means Windows Authentication and Windows Authentication requires trusted_Connection=true. If you specify "trusted_connection=True" ==> you have Windows Authentication; if you don't specify it, you don't have Windows Authentication. – marc_s.


1 Answers

You are right. Persist Security Info=false has effect only if user name and password provided in connection string. But question is "What should you store in .config file" and considering that "information is stored as plain text" you should not store UID and PWD in config file. If you store C, PWD and UID can be extracted from .config file. But if you store A, there is no credentials to extract.

I'm not sure, why A has "Persist Security Info=false", but looks like it is a good practice. See MSDN examples:

  • http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.71).aspx
  • http://msdn.microsoft.com/en-us/library/ff647552.aspx
like image 88
dside Avatar answered Sep 28 '22 07:09

dside