Re: SQL Connectivity by Web App

From: ike (M)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 11:50:37 +0100

Any top tips on how to encrypt these credentials. I guess the details are
decrypted by a function in a class within the project every time they are
needed?

<M>ike

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:uuoHeGHWEHA.556@tk2msftngp13.phx.gbl...
> Just make sure that the credentials are encrypted.
>
> Alek
>
> "<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
> news:e1tvO1DWEHA.2716@tk2msftngp13.phx.gbl...
> > Thanks AleK,
> >
> > That certainly sounds good and reinforces what I was thinking. I think I
> > will try to save the credentials in the Web.config file as AppSetting
keys
> > so they are not saved in each page and should be more secure.
> >
> > Cheers,
> >
> > <M>ike
> >
> >
> > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> > news:OB9NoC7VEHA.3596@tk2msftngp13.phx.gbl...
> > > Mike,
> > >
> > > The most common approach to this common problem is to specify SQL
> > > credentials in the connection string. The downside here is that you
need
> > to
> > > protect the connection string at storage, which is a challenge, but
> unless
> > > you have certain specific conditions, you do not have many
alternatives.
> > If
> > > you want to propagate user's credentials to SQL server, you have to
> enable
> > > delegation at the AD domain level, which is not a good idea from
> security
> > > perspective. And what is worse, your app will not be able to use
> > connection
> > > pooling, so the scalability goes down he drain. If you want to connect
> to
> > > SQL Server using credentials of the IIS worker process, you either
need
> to
> > > run the IIS process as a domain user or set them identically on both
the
> > SQL
> > > serve and Web server using a local account (with the same password). I
> > don't
> > > think that either of these options is good, because if you do this
(for
> > one,
> > > any application running under your Web site will be able to connect to
> SQL
> > > server with privileged rights). The bottom line here is that you will
> > > introduce more problems than you solve. Just go with the SQL
credentials
> > in
> > > the connection string. From my experience, this is what most
enterprise
> > apps
> > > do.
> > >
> > > Alek
> > >
> > > "<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
> > > news:uO3P$j6VEHA.2840@TK2MSFTNGP11.phx.gbl...
> > > > Hi,
> > > >
> > > > To start with, i'm not too sure if this is the right group to be
> posting
> > > in
> > > > so please let me know if these is a more suitable one.
> > > >
> > > > I am trying to get my head around the mechanics behind .NET web
> > > applications
> > > > accessing SQL databases located on another pc. My current scenario
is
> > that
> > > > both PC's (IIS5 and SQL2000) are on the same domain but are
physically
> > > > different. I wish to retrieve data from the database to include in
the
> > > > asp.net application. As far as I can see I have two options when
> > building
> > > > the connection:
> > > >
> > > > a) pass credentials in a connection string;
> > > > b) change the impersonated user to a domain account with sql
> > priivaleges.
> > > >
> > > > I notice that the SQL box is set to use windows authentication. Does
> > this
> > > > make a difference?
> > > >
> > > > What I am looking for is are links to resources discussing the
matter
> to
> > > > determine which method is best, if the are other methods and how to
> set
> > up
> > > > the solution.
> > > >
> > > > Any help would be appreciated.
> > > >
> > > > Regards,
> > > >
> > > > <M>ike
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • IWMCredentialCallback::AcquireCredentials() and CryptProtectData()
    ... to be able to pass the username and password to the streaming server. ... service, running under the local system account, ... Does anybody have any ideas on why my credentials are not accepted ... not being able to encrypt the credentials using CryptProtectData. ...
    (microsoft.public.windowsmedia.sdk)
  • Re: SQL Connectivity by Web App
    ... Just make sure that the credentials are encrypted. ... > Thanks AleK, ... >> The most common approach to this common problem is to specify SQL ... >> credentials in the connection string. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Best practice for "hiding" secrets
    ... The idea is to store your credentials in a registry setting, ... Even if someone gets your app, they don't get the registry. ... to allow system admins to encrypt the credentials and store them into the ...
    (microsoft.public.dotnet.framework)
  • Re: Best practice for "hiding" secrets
    ... The idea is to store your credentials in a registry setting, ... Even if someone gets your app, they don't get the registry. ... to allow system admins to encrypt the credentials and store them into the ...
    (microsoft.public.dotnet.general)
  • Re: Best practice for "hiding" secrets
    ... The idea is to store your credentials in a registry setting, ... Even if someone gets your app, they don't get the registry. ... to allow system admins to encrypt the credentials and store them into the ...
    (microsoft.public.dotnet.security)