Re: Flat text based security issue

From: Ken Schaefer (kenRMV@THISadOpenStatic.com)
Date: 10/16/02 

From: "Ken Schaefer" <kenRMV@THISadOpenStatic.com>
Date: Wed, 16 Oct 2002 13:57:54 +1000

I'm not sure what you want advice on - there doesn't seem to be a question
at the end of your post!

I assume you want a more secure way of storing the logon credentials:
Use a DSN? and secure the registry key appropriately using regedt32.exe
Use a COM object, which has a method that returns the connection string?

At the very least though:
a) people browsing the website shouldn't be able to see the location of the
text file
b) secure the textfile in such as way that people authoring against the site
can't get at it either
c) make sure that the login being used has minimal permissions on the
production database.

Cheers
Ken 

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Tim P." <tplaswirth@hotmail.com> wrote in message
news:34c101c27485$2cd4c850$3bef2ecf@TKMSFTNGXA10...
> Hello all,
>
> I have a third party site built for my company.  With this
> is a third party program that communicates via ODBC to our
> Oracle dB.  Thus data passes back and forth.  I have my
> IIS server out in our DMZ where it belongs.  But I had to
> shut it down to work on this one issue.
>
> I have a flat text file that contains some settings for
> the Oracle connectivity.  In this file contains the ID and
> Password for our production Oracle server.  I can't
> believe this company wrote that without any encryption.
> Well alas, the business unit wants it working.  Yet they
> are giving me time to work out my security woes.  Can
> anyone assist me with any ideas?  I have tried obscurity
> but that does not work.  I changed the file name and put
> it in another folder.  But if you view the source of the
> website it will give you that path no matter what.
>
> Again any help is greatly appreciated!
> Thanks in advance,
> Tim
>

Relevant Pages

  • Re: Flat text based security issue
    ... To do that turn on auditing and see under what identity Oracle (or the ... With this> is a third party program that communicates via ODBC to our> Oracle dB. ... In this file contains the ID and> Password for our production Oracle server. ...
    (microsoft.public.inetserver.iis.security)
  • Flat text based security issue
    ... I have a third party site built for my company. ... is a third party program that communicates via ODBC to our ... the Oracle connectivity. ... Password for our production Oracle server. ...
    (microsoft.public.inetserver.iis.security)
  • Securing 3rd party connections to Oracle DBs?
    ... We are currently looking at ways to allow our clients to securely ... SQLnet port, IDP, hardened Oracle installs - but from an application ... stage for example and only dev should be accessed via the db link). ... If anyone has any docs or thoughts on how to better secure the 3rd ...
    (Security-Basics)
  • Re: Which Firewall?
    ... >> third party so called 'firewall' software. ... > users can hardly configure their computers to print let alone configure ... You can't secure a system by adding code. ... A foreign body and a foreign mind ...
    (comp.security.firewalls)
  • Re: The legal / illegal line?
    ... third party - then document your concern and the follow up steps that you ... But then how do you "prove" to someone that their system isn't as secure ... How do you convince them, when they won't give permission because isn't ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)