RE: Better security

Because of the username and password in it to connect to the database. Am I
missing something here?

thanks - dave

Cubicle Wars -

"Dominick Baier" wrote:

why is the connection string a secret??? This shouldn't be the
is very easy to find SQL Servers on my network - in the simplest case scan
every IP address for an open TCP/1433...

Dominick Baier (

Yes - sort-of. I'm still learning this too.

My question here is person A and B need to put their information in
Web.Config. And they should be encrypted in Web.Config (aspnet_regiis
-pef ...).

The problem is how does person A get their connections tring into
Web.Config and aspnet_regiis run on it? Only person C is allowed
access to the server and to Web.Config. But they are not allowed to
see the unencrypted connection string.

Cubicle Wars -

"Steven Cheng[MSFT]" wrote:

Hello Dave,

Based on the nature of the question you mentioned, it is somewhat a
pure security & cryptography question.

I'm not sure the exact application code logic in your scenario(such
as the front end, backend and intermediate's processing on data and
the user/role based security strategry), would you further explain
it? For example, how will the three users(A,B,C) work in your
application(or in different application tier).

Generally, for symmetric cryptography, a key problem is the key
distribution and key management. Only the sender and receiver should
own the key. For example, if A and B want to exhange data through
symmetric data encryption, only A,B will share a key. And if they
want to let a 3rd party(such as user C) to maintain the data, then,
they should offer C the encrypted data(rather than plain text).

Please feel free to let me know your actual requirement and concerns.


Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no