Geek Answers Handbook

How to protect connection string in web.config?

I have a website that is going to live. I am wondering what should I do with the connection string in web.config. I confuse him, and so how?

Thanks!

+4
source share
5 answers

The standard method is to encrypt it. http://ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html

However, another good option is to save it in the registry and set permissions so that access to it is performed only in the asp.net runtime.

See this article: http://msdn.microsoft.com/en-us/library/ff649224.aspx and this KB: http://support.microsoft.com/kb/821616

Although I must say that using the registry tends to complicate the deployment and use text / intermediate servers a bit. We did it ... ONCE, and then went back to encryption.

+5
source

You can encrypt the <connectionStrings> section in your web.config - see How: Encrypt configuration sections in ASP.NET 2.0 using DPAPI

+2
source

Since you did not provide any information about this in your question, I assume that you have the credentials in your connection string.

From a security point of view, you should try to avoid this, if possible, use Windows authentication. Obviously, this requires that you have access to the Active Directory environment, and all servers are deployed in it.

If not, it is always better to block the web server, and not try to make sure that the files on the disk are protected from unauthorized access by different users.

Even if this is not possible, I will follow the approach given by the other answers, encrypting confidential content using DPAPI.

0
source

You can simply encrypt the entire web.config file:

See the steps here:

http://www.proworks.com/blog/archive/encrypting-your-webconfig/

0
source

More articles:


All Articles