I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository.
Has anybody done this? What has your experience been?
Are there any stock components in ASP.NET or 3rd party that would make this
easy?
Thank you for the info.
Cheers,
-Naraen
14  1834 
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:Od******** ********@TK2MSF TNGP03.phx.gbl. ..
>I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository.
Has anybody done this?
Not personally, but there is theoretically no reason why not...
Having said that, I can't think of any valid reason for doing so...
Are there any stock components in ASP.NET or 3rd party that would make
this easy?
ActiveDirectory connectivity is built directly into the .NET Framework: http://www.google.co.uk/search?sourc...&q=%2eNET+ADSI
--
Mark Rae
ASP.NET MVP http://www.markrae.net
I have to agree - I can't either think of any valid reason, especially when
the string could simply be encrypted in web.config. The overhead of
querying AD would certainly put it at the back of the suggestion list.
Regards
John Timney (MVP) http://www.johntimney.com http://www.johntimney.com/blog
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:e1******** ******@TK2MSFTN GP06.phx.gbl...
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:Od******** ********@TK2MSF TNGP03.phx.gbl. ..
>>I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository.
Has anybody done this?
Not personally, but there is theoretically no reason why not...
Having said that, I can't think of any valid reason for doing so...
>Are there any stock components in ASP.NET or 3rd party that would make
this easy?
ActiveDirectory connectivity is built directly into the .NET Framework:
http://www.google.co.uk/search?sourc...&q=%2eNET+ADSI
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
You could do this. You'd probably still want to encrypt any private data
that you don't want to be available to the general public, but it is
possible to store this data in AD and retrieve it via LDAP.
The trick is where you would put the data. The default schema doesn't have
a natural place to store these types of things. Does the client know where
they would like this data stored in the AD?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
--
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:Od******** ********@TK2MSF TNGP03.phx.gbl. ..
>I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository.
Has anybody done this? What has your experience been?
Are there any stock components in ASP.NET or 3rd party that would make
this easy?
Thank you for the info.
Cheers,
-Naraen
Joe:
Thank you for the response.
Yes. The current thinking is that we would create a seperate OU to contain
all application specific settings. They do something similar using JNDI
over LDAP at this point. So, this is an attempt to mimic that practice on
the .NET stack.
Yes the plan is to encrypt data.
I was hoping there would be a way to map the .NET config classes to use LDAP
as the backing store for config info. Or atleast somebody else might be
aware of a partial solution.
I haven't stayed current on the AD technology. I remember from some 2001
work we did, that we decided to have stored proc references in AD as a way
of advertising services to the enterprise. Our team picked up this
technique from one of the SQL Pass sessions we attended. I haven't been
able to find a reference on the web now.
I appreciate insights or comments you might have.
Cheers,
-Naraen
"Joe Kaplan" <jo************ *@removethis.ac centure.comwrot e in message
news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
You could do this. You'd probably still want to encrypt any private data
that you don't want to be available to the general public, but it is
possible to store this data in AD and retrieve it via LDAP.
The trick is where you would put the data. The default schema doesn't
have a natural place to store these types of things. Does the client know
where they would like this data stored in the AD?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:Od******** ********@TK2MSF TNGP03.phx.gbl. ..
>>I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository.
Has anybody done this? What has your experience been?
Are there any stock components in ASP.NET or 3rd party that would make
this easy?
Thank you for the info.
Cheers,
-Naraen
Mark, John:
Thank you for your response.
As you have probably guessed the reasons the client is asking for this are
part technical but part compliance specific. From a HIPAA and SOX point of
view they would like to portray a clear seperation of responsibilitie s to
their auditors. They can "prove" to their auditors that nobody but a
limited group of people has access to the db password and hence only a
limited group of people can see the personally identifiable data.
Currently developers and other operators have access to the "production " web
server for all kinds of maintenance reasons. So, they can't make a
reasonable argument that encryption feature offered by ASP.NET is
sufficient. Sandboxing and isolating is not something they can do
immediately.
In the interim, I was hoping I could provide a solution that would address
their compliance concerns. They are already doing something similar on the
Java side using LDAP and JNDI to store connection strings as well as
connection objects.
Being able to do the same thing using Active Directory for ASP.NET would be
well aligned to their current SOP.
Appreciate any further comments you might have.
Cheers,
-Naraen
"John Timney (MVP)" <xy******@timne y.eclipse.co.uk wrote in message
news:of******** *************@e clipse.net.uk.. .
>I have to agree - I can't either think of any valid reason, especially when
the string could simply be encrypted in web.config. The overhead of
querying AD would certainly put it at the back of the suggestion list.
Regards
John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:e1******** ******@TK2MSFTN GP06.phx.gbl...
>"Naraendirakum ar R.R." <no****@nospam. comwrote in message
news:Od******* *********@TK2MS FTNGP03.phx.gbl ...
>>>I have a client in the healthcare industry who would prefer to store the
connection string in a centralized location in their Active Directory
repository .
Has anybody done this?
Not personally, but there is theoretically no reason why not...
Having said that, I can't think of any valid reason for doing so...
>>Are there any stock components in ASP.NET or 3rd party that would make
this easy?
ActiveDirector y connectivity is built directly into the .NET Framework:
http://www.google.co.uk/search?sourc...&q=%2eNET+ADSI
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:OT******** ******@TK2MSFTN GP02.phx.gbl...
Currently developers and other operators have access to the "production "
web server for all kinds of maintenance reasons. So, they can't make a
reasonable argument that encryption feature offered by ASP.NET is
sufficient. Sandboxing and isolating is not something they can do
immediately.
OK.
In the interim, I was hoping I could provide a solution that would address
their compliance concerns.
Have you looked at ASPNET_SETREG? That would allow you to store the
connection string encrypted in the webserver's Registry. Even if someone
were to find the key, they'd not be able to decrypt it (at least, not very
easily or quickly): http://support.microsoft.com/kb/329290
Being able to do the same thing using Active Directory for ASP.NET would
be well aligned to their current SOP.
Joe K has already highlighted the main problem with this, namely where you
will actually store it since there's nothing built-in to AD...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Mark: Yes we did consider storing it in the registry. It is one of the
fallback options if we can't figure out way to leverage AD for this
information.
Thanks for the followup.
Cheers,
-Naraen
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:eE******** ******@TK2MSFTN GP06.phx.gbl...
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:OT******** ******@TK2MSFTN GP02.phx.gbl...
>Currently developers and other operators have access to the "production "
web server for all kinds of maintenance reasons. So, they can't make a
reasonable argument that encryption feature offered by ASP.NET is
sufficient. Sandboxing and isolating is not something they can do
immediately.
OK.
>In the interim, I was hoping I could provide a solution that would
address their compliance concerns.
Have you looked at ASPNET_SETREG? That would allow you to store the
connection string encrypted in the webserver's Registry. Even if someone
were to find the key, they'd not be able to decrypt it (at least, not very
easily or quickly):
http://support.microsoft.com/kb/329290
>Being able to do the same thing using Active Directory for ASP.NET would
be well aligned to their current SOP.
Joe K has already highlighted the main problem with this, namely where you
will actually store it since there's nothing built-in to AD...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Naraendirakuma r R.R." <no****@nospam. comwrote in message
news:eC******** ******@TK2MSFTN GP04.phx.gbl...
Yes we did consider storing it in the registry. It is one of the fallback
options if we can't figure out a way to use AD for this information.
OK.
--
Mark Rae
ASP.NET MVP http://www.markrae.net
On Jan 8, 8:28*am, "Naraendirakuma r R.R." <nos...@nospam. comwrote:
Mark, John:
Thank you for your response.
As you have probably guessed the reasons the client is asking for this are
part technical but part compliance specific. *From a HIPAA and SOX pointof
view they would like to portray a clear seperation of responsibilitie s to
their auditors. *They can "prove" to their auditors that nobody but a
limited group of people has access to the db password and hence only a
limited group of people can see the personally identifiable data.
Naraen,
if IIS and SQL in the same or in trusted domains, I think you can use
integrated security to make a trusted connection with SQL Server. This
would eliminate the need for storing a password in the connection
string. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Simon Harvey |
last post by:
Hi everyone,
As I understand it, storing an applications SQL Server connection string in
the web.config file is a security risk. I'm wondering then, what the
simplest solution is to this problem?
Actually, my first question is, why is it a security risk? As I understand
it, it is impossible to download the web.config file. Is this not the case?
I've heard of a number of potential solutions to this problem - storing
|
by: Guadala Harry |
last post by:
What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL Server
authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.
Thanks in advance.
|
by: stewart |
last post by:
I've got the standard SqlCacheDependency working just fine , ie. I've
defined (and encrypted) the connectionStrings section in the web.config, and
I've also defined an an sqlCacheDependency in the caching section. So, in my
code I add an item to the cache with an sqlCacheDependency, referencing the
named sqlCacheDependency in the web.config and the database table it is to
be based on (have enabled notificiations for that table). Fine.
...
|
by: WebMatrix |
last post by:
Hello,
I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows security
which is the case. And another argument is that...
|
by: Jim Andersen |
last post by:
Hi,
I would appreciate if someone could explain this behaviour, and maybe offer
a better solution.
I have been working with the GridView control. And SqlDataSource. It works
great if I do:
<asp:SqlDataSource ConnectionString="yada yada yada" etc etc />.
I can hook up a GridView to the sqldatasource and view/edit/add records.
| | |
by: Matt Colegrove |
last post by:
I'm working on a web app that is published to a hosting service. I'm
developing it on my local PC with VS 2005 and SQL Express. The hosting
service DB is SQL Server 2000.
I have two connectionStrings defined in my web.config file, one for the
development db and another for the production db.
When I publish my app to the hosting site, I rename the two connection
strings so that the production string will be the active string in the...
|
by: Jen |
last post by:
..NET 2.0 introduced the <connectionStrings> section in .config files,
but how do I reuse the connection strings defined under
<connectionStrings> in other parts of the config files?
<connectionStrings>
<add name="connStr1" .../>
</connectionStrings>
Now I want to reuse the connection string defined by the name
"connStr1" in 25 other places in the same configuration file by
|
by: Merk |
last post by:
I'm looking for a safe and maintainable way to store connection string info
(connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app);
things like server name or IP address and database name. I need to provide
the client application with this info for connecting to both a test SQL
Server and a production server.
I would prefer to NOT hard-code this info into the client application, and
App.Config seems rather unsafe as the...
|
by: Johnson |
last post by:
I'm trying to fix a "sub optimal" situation with respect to connection
string management. Your thoughtful responses will be appreciated.
I just started with a new client who has a bunch of legacy ASP.NET
applications that all manage connection strings in Web.config the same way,
like this:
This client has one Web.config file per application, and that one Web.config
file is duplicated across all environments (i.e., dev machines, test,...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
