Re: Looking for ASP.NET/SQL Server 2000 App Security Recommendations
From: Jeff Smith (jdsmith_nospam_99@hotmail.com)
Date: 08/29/02
- Next message: Mark Liu: "system.security. cryptography.xml"
- Previous message: Richard Roche: "Event log write permission from asp.net"
- In reply to: Kenneth Courville: "Looking for ASP.NET/SQL Server 2000 App Security Recommendations"
- Next in thread: Peter O'Reilly: "Re: Looking for ASP.NET/SQL Server 2000 App Security Recommendations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jeff Smith" <jdsmith_nospam_99@hotmail.com> Date: Thu, 29 Aug 2002 16:27:58 -0500
Kenneth,
A few ideas:
- Store the connection string in the Local Security Authority (LSA - which
is where most sensitive/secure information is stored by Windows). You can
write a separate application to access the connection string and update it.
- If you want to externalize the info, encrypt with a certificate or a key
pair, store the encrypted string in a file or the registry, and load the
cert/key pair into a Windows account's certificate store/key container. When
you need the connection string, retrieve from the LSA -or- retrieve the
encrypted file and decrypt using the cert/key pair. If you periodically need
to change the key pair or cert, write an application that will reload the
cert or key pair into the account's store.
If you go the LSA route, you'll have to use the Windows APIs (check out the
Platform SDK documentation for more info). There's no API in the .NET
Framework for doing so. Someone may have wrapped it, too.
Jeff
"Kenneth Courville" <kcourville@yahoo.com> wrote in message
news:OHdiqt2TCHA.1240@tkmsftngp12...
I am working on an active directory user management app with an ASP.NET
interface. User account requests are stored in a SQL Server 2000 store,
where there are later processed by a windows service that is more
capable of making the required Active Directory changes.
What I'm trying to figure out now is the best way to secure the
connection between the ASP.NET interface and the data store.
The application already has forms authentication and role-based security
implimented. We have the SQL Server set up as mixed mode security. IIS
allows anonymous connections.
I guess the main question that I'm trying to answer is how should the
connection string information be stored for and accessed by the
application? I know that I don't want to hard code this information.
Any other experiences and insight that you're willing to throw at me for
this particular situation would be appreciated as well.
----------------------------------------
http://members.tripod.com/kcourville0/
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
- Next message: Mark Liu: "system.security. cryptography.xml"
- Previous message: Richard Roche: "Event log write permission from asp.net"
- In reply to: Kenneth Courville: "Looking for ASP.NET/SQL Server 2000 App Security Recommendations"
- Next in thread: Peter O'Reilly: "Re: Looking for ASP.NET/SQL Server 2000 App Security Recommendations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
