473,687 Members | 2,962 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Connection String in .config file - Security Concerns

Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should key
be kept.

Thank you

Jan 25 '06 #1
14 3496
Check out the DPAPI

http://msdn.microsoft.com/library/de...SecNetHT07.asp

Or you can build a data access layer that is behind a firewall.

_Randal

Jan 25 '06 #2
It really depends on how ultra secure you need to be.

You can argue that if someone gained access to your machine to the point
that they can look at your web.config, then it is too late anyway, and that
person already has enough access to inflict all sorts of damage.

Now, beyond that, it is about how much harder you want to make it for the
person who breached your security. Certainly reading it from a config file
is a lot less work then decompiling a dll (or many dll's), and searching
through it looking for the one spot where the encryption key is. Then the
person has to write a little program or something to decrypt using your
encryption key. Now you have added a lot more work, and so this hacker may
not actualy go and do all this.

"WebMatrix" <We*******@disc ussions.microso ft.com> wrote in message
news:73******** *************** ***********@mic rosoft.com...
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows
security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to
breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should
key
be kept.

Thank you

Jan 25 '06 #3
Well, security is definitely a concern. First, do you want to trust Windows
in its security, however, it is not like they have had any significant
vulnerabilities . ;-)

Second, if anyone was to gain physical access to the machine they would be
able to see the credentials.

In short, best practices says that credentials should not be stored in
plaintext.

There are two ways of going about securing you databases.

1) Encryption is a possibility. You are correct about the problem with
storing a key. That kind of defines the chicken-and-the-egg problem in that
in order to secure secrets you must define new secrets. One way around this
would be to use the DPAPI that is part of Windows
(http://msdn.microsoft.com/library/de...ecNetHT07.asp).
This does not require that you use a key because it derives the key from
information on the system.
2) You can use trusted connections between SqlServer and your website.
This means that you do not have to store the username and password. You can
simply tell IIS to trust the webserver account.
"WebMatrix" <We*******@disc ussions.microso ft.com> wrote in message
news:73******** *************** ***********@mic rosoft.com...
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows
security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to
breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should
key
be kept.

Thank you

Jan 25 '06 #4
Everybody is right. These files are not served, so it really boils down to
"How secure do I need to be". In ASP.NET 1.1 there is a utility for this
exact purpose:

http://support.microsoft.com/Default.aspx?kbid=329290

In ASP.NET 2.0, the feature is built into the Framwork.
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"WebMatrix" wrote:
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should key
be kept.

Thank you

Jan 25 '06 #5
This only works with certain elements in the config file. I do not think it
works with any arbitrary content. This has been a complaint of mine for
some time about this utility.

-----
When you apply the hotfix that is described in Microsoft Knowledge Base
article 329250 (see "References "), you can use encrypted data that is stored
in the registry instead of plain text in the following configuration
sections: . <identity userName= password= />
. <processModel userName= password= />
. <sessionState stateConnection String= sqlConnectionSt ring= />

-----
"Peter Bromberg [C# MVP]" <pb*******@yaho o.nospammin.com > wrote in message
news:83******** *************** ***********@mic rosoft.com...
Everybody is right. These files are not served, so it really boils down
to
"How secure do I need to be". In ASP.NET 1.1 there is a utility for this
exact purpose:

http://support.microsoft.com/Default.aspx?kbid=329290

In ASP.NET 2.0, the feature is built into the Framwork.
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"WebMatrix" wrote:
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows
security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere.
Hard
coding it in the code would mean that someone could easily disassemble
web
app .dll file and get that key, if someone already was smart enough to
breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should
key
be kept.

Thank you

Jan 25 '06 #6
In reality, there is a security concern. There is never a solution in
security, which is why everything is called a "deterrent" .

If you set IIS up properly, and assuming that there are no security
flaws in IIS which would serve up the config file (ha!), you still have to
worry about internal threats. If someone has access to the machine, then
they can easily look in the web config file for the username and password
that accesses the database.

You can encrypt the string, but then you have to protect the key.
However, encryption is a deterrent, because no one is going to try and brute
force the decryption. Here is a blog entry regarding encrypting the
connection string in ASP.NET:

http://weblogs.asp.net/owscott/archi...29/421063.aspx

However, I think that neither of these is a good solution. Personally,
I think that you should be using windows authentication to access your DB
server (SQL Server does this, I dont know about others). Of course, I don't
recommend that you allow the ASPNET user to access the SQL Server. Rather,
if you are using windows identities, and you are impersonating, I would use
a trusted connection.

Even if not using windows identities, I would place my data operations
in a class derived from ServicedCompone nt that ASPNET can access, and then
have the ServicedCompone nt (COM+) run under a single user account that has
acceess to the database. You can set the connection string as the
construction string for the ServicedCompone nt, and use a trusted connection.
Then, only administrators can access the components on the machine, and see
the connection string, and if they did, they wouldn't know the credentials
to the database.

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"WebMatrix" <We*******@disc ussions.microso ft.com> wrote in message
news:73******** *************** ***********@mic rosoft.com...
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows
security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to
breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should
key
be kept.

Thank you

Jan 25 '06 #7
You can encrypt several sections (including connection strings) using the
in-built encryption methods in ASP.NET 2.0;

http://msdn.microsoft.com/library/de...aght000005.asp

This protects the file from plain text (reading) attacks. *however*, if
somebody can write a simple .NET web-page, it can *directly* read the
unencrypted values (the encryption is completely transparent to an ASP.NET
web-page running in the correct account). For this reason, using this
approach I would still not recommend storing passwords (trusted logins being
preferable). And because the connection-string section in ASP.NET is well
supported, it is also very easy to ask "what connection strings have you
got?" rather than needing to know anything in advance. This can be done with
a simple ashx dumped into the root of the web application - in less than a
page you can attempt to connect to all the servers listed and try to get
their catalogues...

IMO any DPAPI wrapper is, in its way, susceptible to the same type of
attack - as long as they can get code to run in an account that has access
to the read-keys (i.e. the web-server's account), it can be hacked. If
somebody can be bothered.

But as sombody else observed, if they can get this far you're already in
trouble...

Marc

Jan 25 '06 #8
THe problem with using trusted connections to SQL Server is that connection
pools don't work with trusted connections. Also, trusted connections only
work when the SQL Server is on the same machine as IIS.

The rest of what everyone has said is definitely correct, in the
circumstances where those solutions (or deterrents) work best.

If you're able to use the Enterprise Library, it has relatively secure
encryption capability for the connection string.

In the project I am currently working on, Enterprise Library is not an
option (which is fine with me - I'm not a big fan of it anyway) and because
the IIS machines are separate from the database (the database is DB2 on a
mainframe) and the IIS servers are, by policy, not allowed to access the
registry.

As a result, I just wrote a simple encryption/decryption utility based on my
article at
http://www.dalepreston.com/Blog/2005...is-simple.html.

The problem with this, and all solutions that are not DPAPI based, is that
the server has to be able to access the encrypted data and the decryption
key. If someone can get to the server to find the web.config file in the
first place, they will have access to the encrypted connection string and the
key to decrypt it.

The best you can hope to do, and you should do it, is to encrypt the string,
hide the key as best you can using Windows security, either in the file
system or in the registry, or even in your app, and hope that is enough
deterrent for someone who penetrates your physical and file system security
otherwise.

Or, put IIS and SQL Server on the same box, forfit connection pooling, and
use Windows Integrated Authentication.
--
Dale Preston
MCAD C#
MCSE, MCDBA
"Nicholas Paldino [.NET/C# MVP]" wrote:
In reality, there is a security concern. There is never a solution in
security, which is why everything is called a "deterrent" .

If you set IIS up properly, and assuming that there are no security
flaws in IIS which would serve up the config file (ha!), you still have to
worry about internal threats. If someone has access to the machine, then
they can easily look in the web config file for the username and password
that accesses the database.

You can encrypt the string, but then you have to protect the key.
However, encryption is a deterrent, because no one is going to try and brute
force the decryption. Here is a blog entry regarding encrypting the
connection string in ASP.NET:

http://weblogs.asp.net/owscott/archi...29/421063.aspx

However, I think that neither of these is a good solution. Personally,
I think that you should be using windows authentication to access your DB
server (SQL Server does this, I dont know about others). Of course, I don't
recommend that you allow the ASPNET user to access the SQL Server. Rather,
if you are using windows identities, and you are impersonating, I would use
a trusted connection.

Even if not using windows identities, I would place my data operations
in a class derived from ServicedCompone nt that ASPNET can access, and then
have the ServicedCompone nt (COM+) run under a single user account that has
acceess to the database. You can set the connection string as the
construction string for the ServicedCompone nt, and use a trusted connection.
Then, only administrators can access the components on the machine, and see
the connection string, and if they did, they wouldn't know the credentials
to the database.

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"WebMatrix" <We*******@disc ussions.microso ft.com> wrote in message
news:73******** *************** ***********@mic rosoft.com...
Hello,

I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows
security
which is the case. And another argument is that encryption would probably
require a key or cipher which also would have to be stored somewhere. Hard
coding it in the code would mean that someone could easily disassemble web
app .dll file and get that key, if someone already was smart enough to
breach
IIS and Windows security.

My questions to you:
1. Any real life concerns keeping connection strings in .config files
2. Other locations where connection strings can be kept securely
3. If you do recommend encryption, what encryption methods, Where should
key
be kept.

Thank you


Jan 26 '06 #9
> Also, trusted connections only work when the SQL Server is on the same
machine as IIS


No; trusted connections using a domain account will work anwhere within that
domain; if you use machine (not domain) accounts, you can mirror the account
(same name and password) on 2 machines trusted connections can work.

Marc
Jan 26 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
2384
by: Shyam | last post by:
Hi, I wanted some advice on the following. All the users who log in to the system are created in the SQL Server. As I am not keen to store any user information on the web.config file for security considerations and I need to use SQL logins for each user, I decided to create a class CurrentUserClass (some what similar to the TTUser class in microsoft's ASP.NET sample Time Track application) with properties like Name, First Name, LastName,...
4
6726
by: Charlie | last post by:
Hi: I'm storing my dB connection in web.config file. Since it will be easily read by opening file, what is a good way to secure it? Thanks, Charlie
12
3464
by: Charlie | last post by:
Hi: My host will not allow me use a trusted connection or make registry setting, so I'm stuck trying find a way to hide connection string which will be stored in web.config file. If I encrypt string externally, can it be used in it's encrypted form to connect to SQL Server? If I decrypt back to string for use in connection string during runtime, I have to supply a key. If I do that, hacker could use key to break encryption. How do I...
0
1053
by: dbuchanan | last post by:
While trying to use a config file to provide my connection string I get a System.ArgumentException with the following message; "Format of the initialization string does not conform to specification starting at index 0" What does this mean and What am I doing wrong? ==== My config file <?xml version="1.0" encoding="utf-8" ?> <configuration>
6
17718
by: Bala Nagarajan | last post by:
Hello, I am using Oracle 9i in my application and facing a problem with the connection string. In the datasource attribute of the connection string i had to specify an entry in "tnsnames.ora" file for it to work correctly. If i copy and paste the entry in the "tnsname.ora" file it complains the connection string is too long. I want to avoid using the "tnsnames.ora" file since it exposes the server (and needles to say the configuaration!)...
14
2011
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review, one developer suggested that it's a security flaw; therefore connection strings should be kept somewhere else or encrypted. My argument is that web.config file is protected by IIS and Windows security which is the case. And another argument is that...
7
3703
by: Jim Butler | last post by:
I have this error that is happening on all of our web servers (production included). It basically started occurring once we loaded 2005 sql client tools, asp.net 2.0 (and all related prerequistes) on our windows 2003 web servers (unfortunately they are needed, so uninstalling is not an option). The web app where this happens, runs both asp code and .net 1.1 code within the same web app. In the asp app, we scrape and post data to .net 1.1...
3
13353
by: Ted | last post by:
In WSAT, I get the following error when trying to set up my provider: Could not establish a connection to the database. If you have not yet created the SQL Server database, exit the Web Site Administration tool, use the aspnet_regsql command-line utility to create and configure the database, and then return to this tool to set the provider. On Windows XP Pro, I am using MS Visual Studio 2005, and I am using the developer's edition of...
8
6330
by: Brett | last post by:
I wrote an ASP.NET application that queries a SQL Server database (on a different box from the web server) and displays the result in a GridView. The datasource for the GridView is a SQLDataSource. Just to get it to work, I hard-coded the username and password of a SQL Server account in the connectionstring in web.config. Once I confirmed that this worked on the web server, I wanted to remove the hard-coded password from web.config, so I...
0
8590
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8527
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8947
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8783
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7618
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
5806
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4321
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
2961
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2214
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.