Where to store connections string

  • Thread starter Thread starter Simon Harvey
  • Start date Start date
S

Simon Harvey

Hi everyone,

As I understand it, storing an applications SQL Server connection string in
the web.config file is a security risk. I'm wondering then, what the
simplest solution is to this problem?

Actually, my first question is, why is it a security risk? As I understand
it, it is impossible to download the web.config file. Is this not the case?

I've heard of a number of potential solutions to this problem - storing
stuff in the registry being one potential solution. I don't really want to
do that though as I need to be able to deploy the sites on a shared host
computer owned by my hosting company.

So, back to my original question - what would be the simplest and most
effective way to keep my connection string secure?

Thanks to anyone who can offer any advice on this

Simon
 
Security risk is mainly from internal access. It is often more
important to secure information from people inside an organization
that should not have access to it than from outside the organization.
If you put the connection string in the web.config file, anyone who
has access to the file system could see the value.

One common way of securing this is to encrypt the connection string
and then store the encrypted form in the web.config file.
 
Ah right! So its not that the web.config file might be accessed from the
outside world. That makes a lot more sense to me now.

Thanks Dan

Simon
 
Hi Simon,

Files with the .config extensions are configured to go though the ASP.NET
ISAPI and then to a handler that forbids their retrieval so you're safe.
However, if anyone gets on your server they will see your web.config in
plain and clear.

There is a KB article at
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290, which talks
about different ways to encrypt connection strings. Once you start dealing
with DPAIPI (Data Protection API) or the registry it opens up a can of
worms. This architectural whitepaper
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/secnetlpMSDN.asp) discusses it in the "Storing Database Connection
Strings Securely" section.

Basically, protecting encrypted connection strings boils down to a
complicated issue of managing keys for symmetric/assymetric encryption, so
you have to assess if it's worth it to begin with. You can secure databases
with Windows accounts so you won't have to specify uid and pwd in connection
strings. It's not always possible though, especially if you're hosting a
site somewhere.
 
Hi Simon,

Files with the .config extensions are configured to go though the ASP.NET
ISAPI and then to a handler that forbids their retrieval so you're safe.
However, if anyone gets on your server they will see your web.config in
plain and clear.

There is a KB article at
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290, which talks
about different ways to encrypt connection strings. Once you start dealing
with DPAIPI (Data Protection API) or the registry it opens up a can of
worms. This architectural whitepaper
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/secnetlpMSDN.asp) discusses it in the "Storing Database Connection
Strings Securely" section.

Basically, protecting encrypted connection strings boils down to a
complicated issue of managing keys for symmetric/assymetric encryption, so
you have to assess if it's worth it to begin with. You can secure databases
with Windows accounts so you won't have to specify uid and pwd in connection
strings. It's not always possible though, especially if you're hosting a
site somewhere.
 
Back
Top