473,406 Members | 2,705 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > connectionstrings in asp.net 2.0?

Join Bytes to post your question to a community of 473,406 software developers and data experts.

ConnectionStrings in ASP.NET 2.0?

The connection strings now have a ConnectionStrings section in the
web.config.

However, the main flaw of this method is that if you put the password
in the connection string that it can be read by any text editor that
might have access to the root directory.

Is there a method in place now that these strings can be encrypted or
still accessible from the web.config but hidden and be used from
ASP.NET application?

Dec 16 '05 #1
8 1241
And who's gonna have access to that folder?
<ss*******@gmail.com> schreef in bericht
news:11*********************@g14g2000cwa.googlegro ups.com...
The connection strings now have a ConnectionStrings section in the
web.config.

However, the main flaw of this method is that if you put the password
in the connection string that it can be read by any text editor that
might have access to the root directory.

Is there a method in place now that these strings can be encrypted or
still accessible from the web.config but hidden and be used from
ASP.NET application?

Dec 16 '05 #2
That's exactly my point... to keep passwords out of the hands of people
that might find some way of getting access to that folder.

Dec 17 '05 #3
Yes, there are methods in place to encrypt sections of the web.config
file, including <connectionStrings>.

http://msdn.microsoft.com/library/de...aght000005.asp

OR

http://msdn.microsoft.com/library/de...aght000005.asp

Both use the aspnet_regiis.exe command-line utility included with the
..NET Framework Runtime.

Joshua Flanagan
http://flimflan.com/blog
Dec 17 '05 #4
Question again:
If the app is on a webserver, WHO has access to the server (through NETBIOS
i mean)
A common mistake is that HTTP users can read the connectionstring somehow.
That's impossible unless ASP.NET support drops(crashes) for some reason.

<ss*******@gmail.com> schreef in bericht
news:11*********************@o13g2000cwo.googlegro ups.com...
That's exactly my point... to keep passwords out of the hands of people
that might find some way of getting access to that folder.

Dec 17 '05 #5
> If the app is on a webserver, WHO has access to the server (through
NETBIOS i mean)
Do you mean over the LAN or on the same Domain? That would be determined by
local file system and domain permissions. Anyone on the same Domain or LAN
who has local file system or domain permission to access the file would be
able to read it.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but it takes a very long time,
and the bicycle has to *want* to change.

"Edwin Knoppert" <in**@pbsoft.speedlinq.nl> wrote in message
news:do**********@azure.qinip.net... Question again:
If the app is on a webserver, WHO has access to the server (through
NETBIOS i mean)
A common mistake is that HTTP users can read the connectionstring somehow.
That's impossible unless ASP.NET support drops(crashes) for some reason.

<ss*******@gmail.com> schreef in bericht
news:11*********************@o13g2000cwo.googlegro ups.com...
That's exactly my point... to keep passwords out of the hands of people
that might find some way of getting access to that folder.


Dec 17 '05 #6
You're right.

But, even if someone does have domain rights to the web.config doesn't
mean that should have the connection string information -- thus, it
being encrypted for that reason.

Jan 4 '06 #7
"Joshua Flanagan" <jo**@msnews.com> wrote in message
news:uv*************@TK2MSFTNGP12.phx.gbl...
Yes, there are methods in place to encrypt sections of the web.config
file, including <connectionStrings>.

http://msdn.microsoft.com/library/de...aght000005.asp

OR

http://msdn.microsoft.com/library/de...aght000005.asp

Both use the aspnet_regiis.exe command-line utility included with the .NET
Framework Runtime.


Yes indeed, but both methods assume that you have read access to the web
server's local registry - if this is a public website hosted with a public
ISP, you'd very lucky to have this....

Also, both methods assume that you have *WRITE* access to the web server's
local registry to create the encrypted registry key(s) in the first place -
in the above scenario, I'd be totally amazed if you have this.
Jan 4 '06 #8
DJ
Thinking about this, if someone who is hostile (read, would use the
connection string maliciously) has rights to the directory the web.config is
in and can actually open up that file in a text editor, you have bigger
security problems at hand to worry about than whether or not they can get a
connection string. This would immediately indicate your security is in the
basement and you need to hire new sysadmins. These hostile parties would
pretty much own your site.

This rates with the older question "Is it safe to put a connection string in
the global.asa under ASP Classic?" If someone can actually get into the
directory structure to get that connection string out, they probably already
own my machine, they are in as an admin, and they can get into my database
(whether its on a remote machine or local).

Strict security practices and ensuring they are adhered to religiously is
your best protection.

Of course, I could be wrong, but that's just my two cents worth.

DJ

"ss*******@gmail.com" wrote:
You're right.

But, even if someone does have domain rights to the web.config doesn't
mean that should have the connection string information -- thus, it
being encrypted for that reason.

Mar 28 '06 #9
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
ConfigurationSettings.ConnectionStrings("Personal").ConnectionString does not work
by: Dave | last post by:
I am a user of the ConfigurationSettings.AppSettings("KeyName") in asp.net 1.1 so after reading about the new ConnectionStrings collection in "Intoducing Microsoft ASP.NET 2.0 by Dino Esposito on...
ASP.NET
6
Misunderstanding ConnectionStrings?
by: Shawn Wildermuth | last post by:
I have a web project whose web.config has a ConnectionString setup. I have a second assembly with my Typed DataSets. The designer has created an App.config file with a connection string in it for...
ASP.NET
4
sitemap connectionstrings
by: Andy Sutorius via DotNetMonster.com | last post by:
I am creating a custom sitemap and when I run the site I get the following error and the debugger trips on line 28 of the code below. Can someone explain why I am getting this error and how to...
ASP.NET
0
appSettings and connectionStrings in CONFIG files v2.0
by: chaks7 | last post by:
Hi! I have a Web App developed for1.1. Now we migrated to 2.0. We have a base library/dll used by few applications. When we started working with 2.0; we started using the Middle-tier schema...
ASP.NET
1
Encrypting connectionStrings with CustomProvider
by: Chuck P | last post by:
I am trying to encrypt the connectionStrings in Web.config with a custom provider. Works great for me, anyone else tries it they get errors. Note the error says "decrypt" My statements I ran...
ASP.NET
1
<%$ConnectionStrings:Northwind%>
by: Peter | last post by:
I found one aspx page in a PC for ASPX learning, in one web control, <asp:SqlDataSource>, one of its attribute is as below: ConnectionString=<%$ConnectionStrings:Northwind %> The page works. And...
ASP.NET
1
ConfigurationManager.ConnectionStrings
by: shapper | last post by:
Hello, I create a few VB classes under app_code of a web site. Now I am trying to create a library project. Something strange is going on. I have the following line: Dim connectionString As...
ASP.NET
2
Updating web.config.ConnectionStrings at runtime
by: Bragadiru | last post by:
Hi all, I want to add a new connection string to my webservice web.config file at runtime : ConnectionStringSettings connStringsSettings = new...
.NET Framework
2
encrypted connectionStrings web.config customErrors
by: rmgalante | last post by:
I encrypted my connectionStrings section with the following command. aspnet_regiis -pef "connectionStrings" "C:\Inetpub\wwwroot \MyVirtualDirectory" It worked and I can see that the...
ASP.NET
0
ConfigurationManager.connectionStrings = Object reference not set
by: =?Utf-8?B?cGVsZWdrMQ==?= | last post by:
i work on winxp with Net2 ver 2.0.50727 in the IIS (under ASP.NET) in my web.config file i have : <configuration> <connectionStrings> <add name="local_con" connectionString="Data...
ASP.NET
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!