Geek Answers Handbook

.Net SQL Server Connection String - Hide Password from Other Developers

We are migrating one of our sites to ASP.Net. We do not want to use an integrated security system that uses a Windows account to connect to the sql server (Iโ€™m not going to delve into why, it simply cannot be considered). We created a username and password to connect to SQL Server and would like to use this username and password, however we also do not want other developers to see this information (read easily from web.config) .... I know it can be encrypted, but developers can just as easily decrypt - plus encryption has a performance hit.

Is there any solution to this problem?

+6
sql-server password-protection connection-string
source share
5 answers

here is a good tutorial on Encrypting configuration information in ASP.NET 2.0 applications

Just don't give the key to other developers.

Alternatively, you can block authentication for SQL through installed certificates. In this way, you establish security based on the client, not the user. http://msdn.microsoft.com/en-us/library/ff649255.aspx

Our standard practice is to use one โ€œDeveloper Nameโ€ in the development database, which has limited access and has a different username / password for the production box. Developers do not have access to the product box, only leading developers, and then the creation of web.config is copied through the deployment script.

+2
source share

Do developers need access to the web.config file? If so, I think you might be out of luck. If not, this means that they never need to change the web.config file, change the permissions on it so that only administrators and the asp.net process can read the file.

0
source share

In my experience, itโ€™s hard to hide such things from your internal developers. Even the configuration configuration encryption in webconfig will still be displayed if your developers simply stepped over the code ...

I would suggest that if you did this, you could create a private constant string in the code for your DB string, and then use Dotfuscator or the like in a compiled application. Obviously, the source code itself must also be encrypted, otherwise your developers would not be able to access it.

0
source share

You cannot protect the password from developers - besides, what is the meaning of it? What you can do is to have a separate development server, to which developers have access and a production environment to which they are not related.

Do developers ever need to connect to the database to run some tests or something else? if they do, it would be advisable to run the test using the same account used by the application, otherwise the test results may not reflect reality.

0
source share

prompt for the password when you first connect and track passowrd in a session. Now only you can connect the database from anywhere. Redirect all those that are inaccessible to the page inaccessible to users, that they do not have a password.

0
source share

More articles:


All Articles