Geek Answers Handbook

What is the most secure way to connect an ASP.NET 3.5 web application and SQL Server database?

I have a web application developed in .net 3.5 and a SQL Server database.

The current auth method is the connection string in web.config, it seems like a good idea to move authentication data from plain text.

So, I have two questions:

  • Reliable connection. Password policy is strict here, requiring frequent changes. Does this mean that I will have to update the password for the website every time it expires?

  • Is there another option / better option?

+4
source share
4 answers

As an alternative to a trusted connection, you can see this set of articles on how to encrypt your web.config.

In short, if you call from the command line

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

The connectionStrings section in the SampleApplication web.config application from the default site will be encrypted using RSA.

+2
source

I think it's better to use a username / password simply because I don't want the user to start my IIS server to access a large number of databases. I would prefer it to be focused where, for this application there is a user, and this user has access only to this database.

You need to be sure that your web.config file is safe, so you need security.

If you want more security, you can simply use the dependency injection infrastructure and enter a compiled class with username / password and just use this connection string. This class can be confusing if you need some semblance of greater security.

+1
source

No, you do not have to continue to modify the trusted connection data. You do not store the password there, so password changes will not affect you. (This is if you use basic authentication so that users can connect to the SQL mailbox as themselves)

But - if your application pool is running as a specific user, and this user has changed his password, you need to update it. You might think of a user whose password does not expire for this.

0
source

A reliable connection is not an option? Frequently changing passwords should not be a limiting factor in your decision, as they trust you not to enter a password.

Another alternative is to encrypt the connection string .

0
source

More articles:


All Articles