Re: connection string

• Previous message: William Stacey [MVP]: "Re: encrypt password for webservices"
• In reply to: Shahram K: "connection string"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Alek Davis" <alek_DOT_davis_AT_intel_DOT_com>
Date: Wed, 9 Apr 2003 17:04:49 -0700

Shahram,

The answer will pretty much depend on your particular application and
security standards of your organization. The rule of thumb (which is also
recommended by Microsoft) is never to store sensitive information (such as
connection strings or passwords) in plain text. Actually, if you use Windows
authentication to connect to SQL server, connection string will not include
any confidential info, so it is OK to store it in plain text. Otherwise,
always use encryption. Microsoft has some recommendations in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetch12.asp (or http://tinyurl.com/8pku); see Storing Database
Connection Strings Securely. The choice betwen a config file or Registry is
mostly a matter of personal preferences and/or application environment
settings. If you want to use Registry, there is a Microsoft sample how to do
it using encryption; check
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetHT11.asp (or http://tinyurl.com/96ql). If you like config files
better, you can roll out your own encryption tool or use this one:
http://www.obviex.com/CipherLite/.

-- Alek

"Shahram K" <skhosraviani@fauseydoesit.com> wrote in message
news:eg9hshe$CHA.2044@TK2MSFTNGP10.phx.gbl...
> hi, what is the best way to protect the the connection string ?
>
> is it placing it in the config.web file or creating a encrypted connection
> string in the registry ? or is there any new ideas ?
>
> thank you
>
>

• Previous message: William Stacey [MVP]: "Re: encrypt password for webservices"
• In reply to: Shahram K: "connection string"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]