Menu
The application my team is currently developing has a DLL that is used to perform all database access. The application can not use a trusted connection because the database is behind a firewall and the domain server is not. So it appears that the connection string needs to have a DB username and password. The DLL currently has the database connection string hard coded, but I don't want to do this when we launch as the assembly can be disassembled and the username and password would be right there in the open.
One of the requirements is that the password needs to be changed once every few months, so we would need to roll that out to our internal user base.
Is there a way to store the password encrypted in such a way we can easily distribute to the entire user base without storing it in the assembly?
UPDATE: Thanks to everyone who's answered. I'll try to answer some of the questions back to me... The data DLL is used by both ASP.NET WebForms and VB.NET WinForms. I understand that Applications can have their own config files, but I haven't seen anything on config files for DLLs. Unfortunately, I can't get to the Jon Galloway post at work so I can't judge if that will work. From a development standpoint, we don't want to use web services inhouse, but may be providing them to third parties sometime next year. I don't think impersonation will work because we can't authenticate the user through the firewall. As a user (or former user) can be an attacker, we're keeping it from everyone!
669
The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.
config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.
By default, Sitefinity CMS stores the connection string to the database in the DataConfig. config file, located in folder ~/App_Data/Sitefinity/Configuration/. You can move the connection string to the web.
ASP.NET Core Connection String is mainly used to connect to the database, which can be stored in the appsetting. json.
I'm not certain, but I believe you can put it in a config file and encrypt the config file.
Update: See Jon Galloway's post here.
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
