Secure connection to database

Hello All,

I have an asp.net application hosting in IIS 6.0 which talks to a database
in another DMZ (with firwall installed in between). I know that I can enrypt
and decrypt my connection string into web server's registry instead of plain
text in web.config ,but I was just thinking that once the app want to talk
to database ,does it send the connection string in plain text agian OR I
have to take extra steps to secure that too? Could you please guide me to a
good article explaining this?

Thanks a lot

re: Secure connection to database

depends on the database and what is in the connection string. some databases
(say sqlserver) can be configured to connect over ssl, or can't. also is the
username/password in the connect string?

also when you open the firewall for IIS to talk to the database, you might
only allow point to point, and pick a custom port.

-- bruce (sqlwork.com)



"Fariba" <fariba@yahoo.com> wrote in message
news:ugA3HDDVGHA.2344@TK2MSFTNGP10.phx.gbl...[color=blue]
> Hello All,
>
> I have an asp.net application hosting in IIS 6.0 which talks to a database
> in another DMZ (with firwall installed in between). I know that I can
> enrypt
> and decrypt my connection string into web server's registry instead of
> plain
> text in web.config ,but I was just thinking that once the app want to talk
> to database ,does it send the connection string in plain text agian OR I
> have to take extra steps to secure that too? Could you please guide me to
> a
> good article explaining this?
>
> Thanks a lot
>
>[/color]

re: Secure connection to database

Hi Bruce,

Database is sql server .Username and password is in connection string.
Could you please elaborate more on this:[color=blue]
> also when you open the firewall for IIS to talk to the database, you might
> only allow point to point, and pick a custom port.[/color]


Thanks a lot for your nice reply.

"Bruce Barker" <brubar_nospamplease_@safeco.com> wrote in message
news:OrDgAZEVGHA.5332@tk2msftngp13.phx.gbl...[color=blue]
> depends on the database and what is in the connection string. some
> databases (say sqlserver) can be configured to connect over ssl, or can't.
> also is the username/password in the connect string?
>
> also when you open the firewall for IIS to talk to the database, you might
> only allow point to point, and pick a custom port.
>
> -- bruce (sqlwork.com)
>
>
>
> "Fariba" <fariba@yahoo.com> wrote in message
> news:ugA3HDDVGHA.2344@TK2MSFTNGP10.phx.gbl...[color=green]
>> Hello All,
>>
>> I have an asp.net application hosting in IIS 6.0 which talks to a
>> database
>> in another DMZ (with firwall installed in between). I know that I can
>> enrypt
>> and decrypt my connection string into web server's registry instead of
>> plain
>> text in web.config ,but I was just thinking that once the app want to
>> talk
>> to database ,does it send the connection string in plain text agian OR I
>> have to take extra steps to secure that too? Could you please guide me to
>> a
>> good article explaining this?
>>
>> Thanks a lot
>>
>>[/color]
>
>[/color]

re: Secure connection to database

Thus wrote Fariba,
[color=blue]
> Hello All,
>
> I have an asp.net application hosting in IIS 6.0 which talks to a
> database in another DMZ (with firwall installed in between). I know
> that I can enrypt and decrypt my connection string into web server's
> registry instead of plain text in web.config ,but I was just thinking
> that once the app want to talk to database ,does it send the
> connection string in plain text agian OR I have to take extra steps to
> secure that too? Could you please guide me to a good article
> explaining this?[/color]

See http://msdn.microsoft.com/practices/...SecNetch12.asp

Cheers,
--
Joerg Jooss
news-reply@joergjooss.de