RE: Better security

Because of the username and password in it to connect to the database. Am I
missing something here?

thanks - dave

Cubicle Wars -

"Dominick Baier" wrote:

why is the connection string a secret??? This shouldn't be the
is very easy to find SQL Servers on my network - in the simplest case scan
every IP address for an open TCP/1433...

Dominick Baier (

Yes - sort-of. I'm still learning this too.

My question here is person A and B need to put their information in
Web.Config. And they should be encrypted in Web.Config (aspnet_regiis
-pef ...).

The problem is how does person A get their connections tring into
Web.Config and aspnet_regiis run on it? Only person C is allowed
access to the server and to Web.Config. But they are not allowed to
see the unencrypted connection string.

Cubicle Wars -

"Steven Cheng[MSFT]" wrote:

Hello Dave,

Based on the nature of the question you mentioned, it is somewhat a
pure security & cryptography question.

I'm not sure the exact application code logic in your scenario(such
as the front end, backend and intermediate's processing on data and
the user/role based security strategry), would you further explain
it? For example, how will the three users(A,B,C) work in your
application(or in different application tier).

Generally, for symmetric cryptography, a key problem is the key
distribution and key management. Only the sender and receiver should
own the key. For example, if A and B want to exhange data through
symmetric data encryption, only A,B will share a key. And if they
want to let a 3rd party(such as user C) to maintain the data, then,
they should offer C the encrypted data(rather than plain text).

Please feel free to let me know your actual requirement and concerns.


Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no


Relevant Pages

  • RE: Better security
    ... get rid of passwords in connection strings..... ... Dominick Baier ... Cubicle Wars - ... through symmetric data encryption, only A,B will share a key. ...
  • RE: Encrypting data in the database
    ... Cubicle Wars - ... Dominick Baier ... Microsoft Online Community Support ...
  • RE: Better security
    ... this is why you separate application into app pools with different accounts... ... Dominick Baier ... And for Sql Server isn't it bad to give ... through symmetric data encryption, only A,B will share a key. ...
  • Re: Help Encrypting Connection String
    ... > Dominick Baier - DevelopMentor ... >> I've seen DPAPI examples before, but many have been confusing or ... >> run the encryption code on the production box. ... >>> you mean classic ASP?? ...
  • RE: bad encryption
    ... Dominick Baier - DevelopMentor ... i'm new to encryption so please... ...