RE: Better security
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Jan 2007 17:46:46 +0000 (UTC)
this is why you separate application into app pools with different accounts...
-----
Dominick Baier (http://www.leastprivilege.com)
Ok, how do I do that? For databases other than Sql Server that is the
only way to access them. And for Sql Server isn't it bad to give
NETWORK SERVICE access to our database as any other ASP.NET app on the
server can then access it?
Cubicle Wars - http://www.windwardreports.com/film.htm
"Dominick Baier" wrote:
get rid of passwords in connection strings.....
-----
Dominick Baier (http://www.leastprivilege.com)
Because of the username and password in it to connect to the
database. Am I missing something here?
Cubicle Wars - http://www.windwardreports.com/film.htm
"Dominick Baier" wrote:
why is the connection string a secret??? This shouldn't be the
case...it is very easy to find SQL Servers on my network - in the
simplest case scan every IP address for an open TCP/1433...
-----
Dominick Baier (http://www.leastprivilege.com)
Yes - sort-of. I'm still learning this too.
My question here is person A and B need to put their information
in Web.Config. And they should be encrypted in Web.Config
(aspnet_regiis -pef ...).
The problem is how does person A get their connections tring into
Web.Config and aspnet_regiis run on it? Only person C is allowed
access to the server and to Web.Config. But they are not allowed
to see the unencrypted connection string.
Cubicle Wars - http://www.windwardreports.com/film.htm
"Steven Cheng[MSFT]" wrote:
Hello Dave,
Based on the nature of the question you mentioned, it is somewhat
a pure security & cryptography question.
I'm not sure the exact application code logic in your
scenario(such as the front end, backend and intermediate's
processing on data and the user/role based security strategry),
would you further explain it? For example, how will the three
users(A,B,C) work in your application(or in different application
tier).
Generally, for symmetric cryptography, a key problem is the key
distribution and key management. Only the sender and receiver
should own the key. For example, if A and B want to exhange data
through symmetric data encryption, only A,B will share a key. And
if they want to let a 3rd party(such as user C) to maintain the
data, then, they should offer C the encrypted data(rather than
plain text).
Please feel free to let me know your actual requirement and
concerns.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers
no rights.
.
- References:
- RE: Better security
- From: David Thielen
- RE: Better security
- Prev by Date: Re: To get all logged in user information on admin side in asp.net 2.0
- Next by Date: Re: Integrated Windows Authentication Timeout?
- Previous by thread: RE: Better security
- Next by thread: How to find code permissions needed
- Index(es):
Relevant Pages
|
