RE: Better security
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Jan 2007 06:46:09 +0000 (UTC)
get rid of passwords in connection strings.....
-----
Dominick Baier (http://www.leastprivilege.com)
Because of the username and password in it to connect to the database.
Am I missing something here?
Cubicle Wars - http://www.windwardreports.com/film.htm
"Dominick Baier" wrote:
why is the connection string a secret??? This shouldn't be the
case...it is very easy to find SQL Servers on my network - in the
simplest case scan every IP address for an open TCP/1433...
-----
Dominick Baier (http://www.leastprivilege.com)
Yes - sort-of. I'm still learning this too.
My question here is person A and B need to put their information in
Web.Config. And they should be encrypted in Web.Config
(aspnet_regiis -pef ...).
The problem is how does person A get their connections tring into
Web.Config and aspnet_regiis run on it? Only person C is allowed
access to the server and to Web.Config. But they are not allowed to
see the unencrypted connection string.
Cubicle Wars - http://www.windwardreports.com/film.htm
"Steven Cheng[MSFT]" wrote:
Hello Dave,
Based on the nature of the question you mentioned, it is somewhat a
pure security & cryptography question.
I'm not sure the exact application code logic in your scenario(such
as the front end, backend and intermediate's processing on data and
the user/role based security strategry), would you further explain
it? For example, how will the three users(A,B,C) work in your
application(or in different application tier).
Generally, for symmetric cryptography, a key problem is the key
distribution and key management. Only the sender and receiver
should own the key. For example, if A and B want to exhange data
through symmetric data encryption, only A,B will share a key. And
if they want to let a 3rd party(such as user C) to maintain the
data, then, they should offer C the encrypted data(rather than
plain text).
Please feel free to let me know your actual requirement and
concerns.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no
rights.
.
- Follow-Ups:
- RE: Better security
- From: David Thielen
- RE: Better security
- References:
- RE: Better security
- From: David Thielen
- RE: Better security
- Prev by Date: RE: Better security
- Next by Date: Re: ApplicationName: Create programmatically
- Previous by thread: RE: Better security
- Next by thread: RE: Better security
- Index(es):
Relevant Pages
|
|
