|
.net
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ConnectionStrings in ASP.NET 2.0?The connection strings now have a ConnectionStrings section in the
web.config. However, the main flaw of this method is that if you put the password in the connection string that it can be read by any text editor that might have access to the root directory. Is there a method in place now that these strings can be encrypted or still accessible from the web.config but hidden and be used from ASP.NET application? And who's gonna have access to that folder?
<sstran***@gmail.com> schreef in bericht Show quote news:1134773820.245932.83910@g14g2000cwa.googlegroups.com... > The connection strings now have a ConnectionStrings section in the > web.config. > > However, the main flaw of this method is that if you put the password > in the connection string that it can be read by any text editor that > might have access to the root directory. > > Is there a method in place now that these strings can be encrypted or > still accessible from the web.config but hidden and be used from > ASP.NET application? > That's exactly my point... to keep passwords out of the hands of people
that might find some way of getting access to that folder. Question again:
If the app is on a webserver, WHO has access to the server (through NETBIOS i mean) A common mistake is that HTTP users can read the connectionstring somehow. That's impossible unless ASP.NET support drops(crashes) for some reason. <sstran***@gmail.com> schreef in bericht Show quote news:1134777406.660019.63010@o13g2000cwo.googlegroups.com... > That's exactly my point... to keep passwords out of the hands of people > that might find some way of getting access to that folder. > > If the app is on a webserver, WHO has access to the server (through Do you mean over the LAN or on the same Domain? That would be determined by > NETBIOS i mean) local file system and domain permissions. Anyone on the same Domain or LAN who has local file system or domain permission to access the file would be able to read it. -- Show quoteHTH, Kevin Spencer Microsoft MVP ..Net Developer You can lead a fish to a bicycle, but it takes a very long time, and the bicycle has to *want* to change. "Edwin Knoppert" <i***@pbsoft.speedlinq.nl> wrote in message news:do16pa$smv$1@azure.qinip.net... > Question again: > If the app is on a webserver, WHO has access to the server (through > NETBIOS i mean) > A common mistake is that HTTP users can read the connectionstring somehow. > That's impossible unless ASP.NET support drops(crashes) for some reason. > > > > <sstran***@gmail.com> schreef in bericht > news:1134777406.660019.63010@o13g2000cwo.googlegroups.com... >> That's exactly my point... to keep passwords out of the hands of people >> that might find some way of getting access to that folder. >> > > You're right.
But, even if someone does have domain rights to the web.config doesn't mean that should have the connection string information -- thus, it being encrypted for that reason. Thinking about this, if someone who is hostile (read, would use the
connection string maliciously) has rights to the directory the web.config is in and can actually open up that file in a text editor, you have bigger security problems at hand to worry about than whether or not they can get a connection string. This would immediately indicate your security is in the basement and you need to hire new sysadmins. These hostile parties would pretty much own your site. This rates with the older question "Is it safe to put a connection string in the global.asa under ASP Classic?" If someone can actually get into the directory structure to get that connection string out, they probably already own my machine, they are in as an admin, and they can get into my database (whether its on a remote machine or local). Strict security practices and ensuring they are adhered to religiously is your best protection. Of course, I could be wrong, but that's just my two cents worth. DJ Show quote "sstran***@gmail.com" wrote: > You're right. > > But, even if someone does have domain rights to the web.config doesn't > mean that should have the connection string information -- thus, it > being encrypted for that reason. > > Yes, there are methods in place to encrypt sections of the web.config
file, including <connectionStrings>. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp OR http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp Both use the aspnet_regiis.exe command-line utility included with the ..NET Framework Runtime. Joshua Flanagan http://flimflan.com/blog
Show quote
"Joshua Flanagan" <j***@msnews.com> wrote in message Yes indeed, but both methods assume that you have read access to the web news:uvT55tqAGHA.504@TK2MSFTNGP12.phx.gbl... > Yes, there are methods in place to encrypt sections of the web.config > file, including <connectionStrings>. > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp > > OR > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp > > Both use the aspnet_regiis.exe command-line utility included with the .NET > Framework Runtime. server's local registry - if this is a public website hosted with a public ISP, you'd very lucky to have this.... Also, both methods assume that you have *WRITE* access to the web server's local registry to create the encrypted registry key(s) in the first place - in the above scenario, I'd be totally amazed if you have this.  |
|||||||||||||||||||||||
Other interesting topics