Connection strings which contain passwords? I am with Mark on this one.
Other sections? No. It just adds weight to the app with no discernable
safety increase. A hacker knows the web connection string name is
MySiteConnectionString? So what?
I would suggest that you not name the string LocalSqlServer if the SQL
Server is really local, as they will try to hack there. Also don't use
the alias ServerNameConnectionString, where ServerName is the actual
name of the server, as that gives a hacker the name of a server in your
network that contains data.
If I saw ZeusConnectionString for an app named MotorcycleSales, I would
assume you have servers named after Greek Gods, with Zeus as your
database server. If I am in the network, I then search for Zeus on port
1433 and see if you have password, p@ssword, blank, etc. as the sa
password.
Perhaps encryption is useful if you name things where you reveal the
nature of the environment, but don't do that and it really does not add
that much, as the hacker is already in your network if he is reading the
config.
App Settings is another thing, as you often reveal secrets about the app
in app settings. Protect them. Conn strings, definitely, esp. if you use
Windows Authentication. They have WAAAY too much info to be left open.
realisitically, however, if the hacker has the .config, he owns the web
server.
Peace and Grace,
--
Gregory A. Beamer (MVP)
Twitter: @gbworld
Blog:
http://gregorybeamer.spaces.live.com
*******************************************
| Think outside the box! |
*******************************************
