Re: Again: Protecting ConnectionString in web.config

From: Alek Davis (alekDOTdavisATintelDOTcom)
Date: 12/02/03

• Next message: Jim Cheshire [MSFT]: "Re: Redirect to default page using Windows Authentication"
• Previous message: tlthompson_at_west.com: "Re: Windows Authentication"
• In reply to: bigMAC: "Again: Protecting ConnectionString in web.config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 2 Dec 2003 09:30:12 -0800

Check out the article "Safeguard Database Connection Strings and Other
Sensitive Settings in Your Code" at
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx.
It may give you some ideas.

Alek

"bigMAC" <tylun_guy@hotmail.com> wrote in message
news:ca8ae5c3.0312011823.5e9212d@posting.google.com...
> Hi,
>
> Today, i met a problem from my boss: how to protect the connection
> string in web.config
> if there's a cracker gain full control of the win server that IIS
> located?
>
> At first, he said plaintext is unacceptable. After some searching, i
> reported some
> solution:
>
> I said store it in registry, my boss ask: he can read it though
> regedit
>
> I said the encrypt/decrypt connection string method that widely found
> from
> Internet, he ask: if cracker trace the program, he can property
> decrypt it programmetcialy. The same, hardcode the string in a dll is
> also
> banned.
>
> I said window auth of sqlserver 2000, he ask: if cracker gain full
> control,
> this is useless.
>
> After that, i counter: if a cracker gain full control of the server,
> any protection
> is already useless.
>
> He said: IIS is easily being attack, so we must think of such a
> situration.
>
> At last, i want to ask: why you choose ASP.NET that must bind on IIS
> even you
> have such concern????? but i had not.
>
> I m not trying to talk about the vulnerablily of IIS, but this is real
> talking
> from my boss.... anyway, any solution or comment on this silly
> conversation
> are welcome.
>
>
> Thank you very much

---

• Next message: Jim Cheshire [MSFT]: "Re: Redirect to default page using Windows Authentication"
• Previous message: tlthompson_at_west.com: "Re: Windows Authentication"
• In reply to: bigMAC: "Again: Protecting ConnectionString in web.config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Again: Protecting ConnectionString in web.config ... if there's a cracker gain full control of the win server that IIS ... I said the encrypt/decrypt connection string method that widely found ... I said window auth of sqlserver 2000, he ask: if cracker gain full ... (microsoft.public.dotnet.framework.aspnet.security) Re: Tripled ADO Connections ... >> The other day we turned off anonymous access in IIS 5.0 ... taking out the SQL Server. ... >> our connection strings. ... >Tom Kaminski IIS MVP ... (microsoft.public.inetserver.iis.security) Re: Add a dataset control to a ASP.NET 2005 app ... especially since we don't store our connection strings on the server, ... I am talking about a dataset control not a .XSD dataset file. ... >> Who is Scrooge? ... >>> Cor ... (microsoft.public.dotnet.languages.vb) Web.config best practices in ASP.NET apps? ... It seems to make more sense to separate app settings (e.g. global variables, ... constants that the development team would control) from web settings (e.g. ... database connection strings) that the operations team would control... ... (microsoft.public.dotnet.languages.csharp) web.config conflicts in virtual directories ... In IIS, I have two web applications configured as follows: ... Website 1 ... I can fix this by ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)