OT: Where do you store your connection strings for ASP.NET?

MadGerbil posted on Thursday, August 17, 2006

I've a situation where I have to use a connection string that has an application user name and password to access a remote SQL Server.  It is extremely important to me that the configuration string be somewhere extremely safe, yet quick to retrieve.

Where is a good place to securely store a connection string?

Is the web.config file secure enough?

 

----------------------------------------------------------------------

I'm able to distribute the application to the server in a pre-compiled form - obviously binary files are more secure than plain text files.  Are the binary files in an ASP.NET pre-compiled solution obfuscated?

ajj3085 replied on Thursday, August 17, 2006

The web.config is just an xml file, so anyone that gains access to read that file will be able to see the u/p.  If you're using .Net 2.0 though, there is support for encrypting connection strings.  You should be able to find information on this via google.

.Net code by default is not obfuscated in anyway, asp.net or not.  There are third party tools which do this, however its not totally secure (of course nothing is).  Some of the better ones are able to encrypt strings stored within the binaries.

The MOST secure place to store the connection string would be an application server and setup the webserver to use remoting for running code in the DataPortal.  With this method, you can do all of the above, but in addition, the server actually running your data access code is behind a firewall and internal to your company.  If your web server is in a typical DMZ, the attacker would now have to break through two firewalls to get to the server which has the connection string.   This comes at the expense of peformance though.

HTH
Andy