Protect connection string

[Thomas Wopienka]

Hi!

Is there a way to protect username and password from a connection string -
VS.NET 2003 prompts that passwords can be read in clear text from the EXE
file.

I don't want anyone who opens my EXE file using notepad to see username,
passwords,...

Are there any tricks to make this saver since I want to distribute my
application on a CD-ROM?

Thank you!

Thomas

 

[Hector Correa]

You can save an encrypted connection string, and dechiper
it just before using it. Here is a routine that shows a
simple function to encryp/decrypt strings:

http://www.pdata.com/dotNeT/EncryptAndDecryptExample.htm

 

[Steven Bras [MS]]

You don't say what database you are using, but if you're using one that
supports NT authentication, such as SQL Server or MSDE, you can simply
connect in this manner. This relies on the logged in user account for
credentials and thus is not stored specifically in your application.

Otherwise, the encryption suggestion posted by Hector is an excellent
technique.

Steven Bras, MCSD
Microsoft Developer Support/Data Access Technologies

This posting is provided "AS IS" with no warranties, and confers no rights.

Microsoft Security Announcement: Have you installed the patch for Microsoft
Security Bulletin MS03-026?  If not Microsoft strongly advises you to
review the information at the following link regarding Microsoft Security
Bulletin MS03-026
http://www.microsoft.com/security/security_bulletins/ms03-026.asp and/or to
visit Windows Update at http://windowsupdate.microsoft.com to install the
patch. Running the SCAN program from the Windows Update site will help to
insure you are current with all security patches, not just MS03-026.

 

[William Ryan]

Just came across this on MSDN, and figured you might find it interesting.
Nothing that wasn't basically mentioned in the other two posts, but figured
you might find it interesting.

Bill

 

[William Ryan]

http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx

Sorry about that.

 

[Angel Saenz-Badillos[MS]]

DO NOT use username and password on applications you are handing out,
period.

When deploying an intranet application across an org the recomended solution
is to use integrated security instead of username and password. If you are
talking about deploying an application outside of your org that directly
connects to your Sql server, or if handing integrated security then you
should reconsider your programming model. You could consider building a web
service tier on your IIS server that connects to your Sql Server, then
connect the client applications through this webservice for example.

Bottom line is that there is no way to protect a username and password that
you distribute with your application, even if you take the trouble to encode
it on your exe and use encription to avoid packet sniffers somebody will
figure out a way to grab it eventually.