RE: SQL connection string security

From: Eli Allen (eallen@mail.bcpl.lib.md.us)
Date: 01/11/02 

From: "Eli Allen" <eallen@mail.bcpl.lib.md.us>
To: "Keith T. Morgan" <keith.morgan@terradon.com>
Date: Thu, 10 Jan 2002 18:02:07 -0500

There is a scriptable com object that can read from the registry which is
how WSH can read it. So it looks like that approach is the same as my first
idea just with using the registry as the storage place. 

--
Eli Allen
eallen@bcpl.net

> -----Original Message-----

>
> We've had a basic premise for storage of connection strings, ODBC
> DSN passwords and the like.  If we are not using windows based
> authentication (most times we do not, as it's not very portable
> between database back-ends) we will almost always store the
> connection strings in the system registry.  We'll then build a
> com object to read the registry keys and obtain the connection
> strings.  This keeps that information out of the readable
> file-system.  For an attacker to gain access to the key, they
> would have to ,basically, completely compromise the host
> webserver.  We use appropriate permissions on both the registry
> keys themselves (along with the obscurity of an attacker having
> to locate them), and the com objects that are capable of reading
> them. So, this means either gaining the system account
> permissions, administrative permissions, or the permissions of
> the web-server's executive account is required to gain access to
> the connection string.  If any of the above three things happens,
> it's pretty much game-over anyway.
>
>
>
>
> -----Original Message-----
>
> With the importance of not letting the connection string used to
> connect to
> a DB out (i.e. not putting the connection string in the source file) I had
> two basic ideas on how to do that:
>
> http://www.wam.umd.edu/~eallen/sqlconnstr.html
>
> __
> Eli Allen
> eallen@bcpl.net
>
>

Relevant Pages

  • Re: 0x80070005 / _Inventory: Installer returned 0x5 (5)
    ... |> Access Denied is a hard one to determine where the keys are failing - ... Navigate to the following key in the registry: ... and then click Permissions. ... |> For Administrator and System, select the Allow check boxes next to Full Control ...
    (microsoft.public.windowsupdate)
  • Re: 0x80070005 Installation Failure message
    ... I wonder why Microsoft ... it had different permissions than other ... Before you modify the registry, ... > one or more registry keys could not be deleted ...
    (microsoft.public.windowsupdate)
  • Re: Default permissions for OE inside registry key...
    ... Single users would not have those keys in the registry. ... > OE runs through the wizard to add a new news account. ... > so I need the permissions for the keys listed. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Why does the confiuration wizard run every time I start Word 2
    ... There was some minor errors after I ran the batch file, but a vista repair ... if they wanted to solve the issue it would be in a registry issue, ... I was fairly sure that it the problem was due to a permissions issue ... Trying to alter the permissions on some of these keys I also ...
    (microsoft.public.office.setup)
  • Re: Failed nidaq adaptor registration
    ... Administrative privileges may not have permissions to modify ... the registry under Vista. ... registry keys. ... Process Monitor is an advanced ...
    (comp.soft-sys.matlab)