473,378 Members | 1,175 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,378 software developers and data experts.

Where/How to Securely Store ID and Password?

What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL Server
authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.

Thanks in advance.
Nov 18 '05 #1
5 4481
You can encrypt it and store it in the web.config file. Since .config is not
a servable file by IIS, it is as secure as your DB is.

"Guadala Harry" <gh****@aol.com> wrote in message
news:O8****************@TK2MSFTNGP11.phx.gbl...
What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.

Thanks in advance.

Nov 18 '05 #2
there is no real secure way, all other web sites have the same dir/registry
access as yours. the best you can do is some encryption, but the key will be
hardcoded in your app, and thus available to all sites on the server (they
can open you assembly and look for the key).

hopefully someday MS will solve this, as the solution requires a change to
the IIS or the OS.

-- bruce (sqlwork.com)

"Guadala Harry" <gh****@aol.com> wrote in message
news:O8**************@TK2MSFTNGP11.phx.gbl...
What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.

Thanks in advance.

Nov 18 '05 #3
See Chris Falter's article on our site here:

http://www.eggheadcafe.com/articles/20021211.asp

Note that there may have been some improvements to this
scheme since the article was originally published.

--Peter

"Guadala Harry" <gh****@aol.com> wrote in message
news:O8****************@TK2MSFTNGP11.phx.gbl...
What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL
Server
authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.

Thanks in advance.

Nov 18 '05 #4
Here are the options for storing database connection strings securely:

- Encrypted with DPAPI
- Clear text in Web.config or Machine.config
- Custom text files
- Registry
Using DPAPI
Windows 2000 and later operating systems provide the Win32 Data Protection
API (DPAPI) for encrypting and decrypting data. DPAPI is part of the
Cryptography API (Crypto API) and is implemented in Crypt32.dll. It consists
of two methods-CryptProtectData and CryptUnprotectData.

DPAPI is particularly useful in that it can eliminate the key management
problem exposed to applications that use cryptography. While encryption
ensures the data is secure, you must take additional steps to ensure the
security of the key. DPAPI uses the password of the user account associated
with the code that calls the DPAPI functions in order to derive the
encryption key. As a result the operating system (and not the application)
manages the key.

If you use the machine store (and call the DPAPI functions with the
CRYPTPROTECT_LOCAL_MACHINE flag) you can call the DPAPI functions directly
from an ASP.NET Web application (because you don't need a user profile).
However, because you are using the machine store, any Windows account that
can log on to the computer has access to the secret. A mitigating approach
is to add entropy but this requires additional key management.

Using Web.config and Machine.config
Storing plain text passwords in Web.config is not recommended. By default,
the HttpForbiddenHandler protects the file from being downloading and viewed
by malicious users. However, users who have access directly to the folders
that contain the configuration files can still see the user name and
password.

Machine.config is considered a more secure storage location than Web.config
because it is located in a system directory (with ACLs) outside of a Web
application's virtual directory. Always lock down Machine.config with ACLs.

Using Custom Text Files
Many applications use custom text files to store connection strings. If you
do adopt this approach consider the following recommendations:

a.. Store custom files outside of your application's virtual directory
hierarchy.
b.. Consider storing files on a separate logical volume from the operating
system to protect against possible file canonicalization and directory
traversal bugs.
c.. Protect the file with a restricted ACL that grants read access to your
application's process account.
d.. Avoid storing the connection string in clear text in the file.
Instead, consider using DPAPI to store an encrypted string.
Using the Registry
You can use a custom key in the Windows registry to store the connection
string. This information stored can either be stored in the
HKEY_LOCAL_MACHINE (HKLM) or HKEY_CURRENT_USER (HKCU) registry hive. For
process identities, such as the ASPNET account, that do not have user
profiles, the information must be stored in HKLM in order to allow ASP.NET
code to retrieve it.

If you do use this approach, you should:

a.. Use ACLs to protect the registry key using Regedt32.exe.
b.. Encrypt the data prior to storage.

Hope this helps.

"Guadala Harry" <gh****@aol.com> wrote in message
news:O8****************@TK2MSFTNGP11.phx.gbl...
What are my options for *securely* storing/retrieving the ID and password
used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different
than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing
the SQL Server.

Thanks in advance.

Nov 18 '05 #5
Thanks for the comprehensive answer - it helps a lot.

G

"Martha[MSFT]" <ma******@online.microsoft.com> wrote in message
news:u7****************@TK2MSFTNGP10.phx.gbl...
Here are the options for storing database connection strings securely:

- Encrypted with DPAPI
- Clear text in Web.config or Machine.config
- Custom text files
- Registry
Using DPAPI
Windows 2000 and later operating systems provide the Win32 Data Protection API (DPAPI) for encrypting and decrypting data. DPAPI is part of the
Cryptography API (Crypto API) and is implemented in Crypt32.dll. It consists of two methods-CryptProtectData and CryptUnprotectData.

DPAPI is particularly useful in that it can eliminate the key management
problem exposed to applications that use cryptography. While encryption
ensures the data is secure, you must take additional steps to ensure the
security of the key. DPAPI uses the password of the user account associated with the code that calls the DPAPI functions in order to derive the
encryption key. As a result the operating system (and not the application)
manages the key.

If you use the machine store (and call the DPAPI functions with the
CRYPTPROTECT_LOCAL_MACHINE flag) you can call the DPAPI functions directly
from an ASP.NET Web application (because you don't need a user profile).
However, because you are using the machine store, any Windows account that
can log on to the computer has access to the secret. A mitigating approach
is to add entropy but this requires additional key management.

Using Web.config and Machine.config
Storing plain text passwords in Web.config is not recommended. By default,
the HttpForbiddenHandler protects the file from being downloading and viewed by malicious users. However, users who have access directly to the folders
that contain the configuration files can still see the user name and
password.

Machine.config is considered a more secure storage location than Web.config because it is located in a system directory (with ACLs) outside of a Web
application's virtual directory. Always lock down Machine.config with ACLs.
Using Custom Text Files
Many applications use custom text files to store connection strings. If you do adopt this approach consider the following recommendations:

a.. Store custom files outside of your application's virtual directory
hierarchy.
b.. Consider storing files on a separate logical volume from the operating system to protect against possible file canonicalization and directory
traversal bugs.
c.. Protect the file with a restricted ACL that grants read access to your application's process account.
d.. Avoid storing the connection string in clear text in the file.
Instead, consider using DPAPI to store an encrypted string.
Using the Registry
You can use a custom key in the Windows registry to store the connection
string. This information stored can either be stored in the
HKEY_LOCAL_MACHINE (HKLM) or HKEY_CURRENT_USER (HKCU) registry hive. For
process identities, such as the ASPNET account, that do not have user
profiles, the information must be stored in HKLM in order to allow ASP.NET
code to retrieve it.

If you do use this approach, you should:

a.. Use ACLs to protect the registry key using Regedt32.exe.
b.. Encrypt the data prior to storage.

Hope this helps.

"Guadala Harry" <gh****@aol.com> wrote in message
news:O8****************@TK2MSFTNGP11.phx.gbl...
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL

Server
authentication)? Please note that this ID and password would be different than the one the user enters for ASP.NET forms authentication. The
ID/password in question is used by the application, itself, for accessing the SQL Server.

Thanks in advance.


Nov 18 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: faktujaa | last post by:
Hi, Currently im storing the connection info. in XML file on the C drive. the only problem with this is that anybody can open and check the database name. I know encryption can solve this problem...
3
by: John Dalberg | last post by:
With ftp, username and password are transmitted in clear text. I would like to send files using ftp programmatically in a secure way. What's the best way to do this? -- John Dalberg
2
by: Peter Rilling | last post by:
How does Windows store passwords that it uses? For instance, when you install a service, you can provide it the username and password. This information is stored somehow so that at a later date...
2
by: Benny Ng | last post by:
The authentication code of enterprise libiary like the following: IAuthenticationProvider authenticationProvider = AuthenticationFactory.GetAuthenticationProvider(); IIdentity identity;...
4
by: Mark R. Dawson | last post by:
Hi all, I have a configuration file that is storing sensative data, like db passwords etc. I want to encrypt the file so that people can not see the contents. What are the standard practices for...
0
by: Rodney | last post by:
I want to provide a small Click Once application to a small number of selected users, when the application is published on an otherwise public web server (I don't want everyone to have access to my...
2
by: ek1 | last post by:
Hi, I need a method in which to store data securely on windows XP/2003 using C#. By secure I want to a) prevent user reading and changing the data and b) prevent user copying over data I...
8
by: Merk | last post by:
I'm looking for a safe and maintainable way to store connection string info (connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app); things like server name or IP address and...
12
by: dino d. | last post by:
hi everyone- my subject pretty much says it all- is there a secure way to do this? the non-secure ways are, as i understand it, to populate a listbox with indices as names, or maybe use a hidden...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.