Re: Encryption of Connection String

From: "Mark Rae" <mark@xxxxxxxxxxxxxxxxx>
Date: Mon, 11 Dec 2006 13:12:39 -0000

"Ashish Jain" <erashishjain@xxxxxxxxxxx> wrote in message
news:%23B0BYpQHHHA.1064@xxxxxxxxxxxxxxxxxxxxxxx

Environment: .Net Framwework 2.0/SQL Server 2005 - Windows XP SP2/Windows
Server 2003

My web application is a mix of ASP and ASP.Net. My "ASP" web application
uses a serviced COM+ component written in C# 2.0 for authentication. The
confuguration file itself is located in System32 folder as required by
COM+. For reading the config file, we are creating a separate appdomain in
the serviced component (since COM+ component is used by ASP pages).

The connection string is stored in clear text right now and I want to
encrypt it.

My developer environment is Windows XP SP2 and deployment is Windows
Server 2003. I want the approach to work on both systems. Also, I want to
keep it easy to copy the installation from one machine to another with
minimum changes (say from QA to deployment).

Can you please guide me on the standard approach for encryption of
connection string?

There is no "standard approach" per se - take a look at the
System.Cryptography namespace - loads of options for string encryption...
Also, a cursory Google search would have shown you loads of possibilities
too:
http://www.google.co.uk/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-28,GGLG:en&q=%22web%2econfig%22+%22connection+string%22+encrypt

However, you might ask yourself why you should bother doing this in the
first place... Who are you trying to hide the connection string from...? If
your users can see it, then you need to start from the beginning!

If a hacker is clever enough (or your security is poor enough) to get as far
as being able to read your config file, then the fact that its contents may
or may not be encrypted really is the least of your worries... :-)

.

References:
- Encryption of Connection String
  - From: Ashish Jain

Prev by Date: invalidcastexception
Next by Date: Re: invalidcastexception
Previous by thread: Encryption of Connection String
Next by thread: Enforcing https.
Index(es):
- Date
- Thread

Relevant Pages

Re: Cant connect from ASP app
... as well - try to ping the server from the ASP box, ... telnet to the listening port on the server from the ASP box, ... try creating a TCP IP alias for the SQL Server instance ... Also with the connection string, ...
(microsoft.public.sqlserver.connect)
Re: Help Encrypting Connection String
... I've seen DPAPI examples before, but many have been confusing or incomplete. ... so that I can invoke the encryption code remotely. ... > you mean classic ASP?? ... >> have simply 'overridden' the LocalSqlServer connection string to point ...
(microsoft.public.dotnet.framework.aspnet.security)
Cant connect from ASP app
... My SQL server is on one PC, and the ASP web application is on ... executed simple dotNET program that uses the very same connection string to ...
(microsoft.public.sqlserver.connect)
Re: Authentication to server with SSL through firewall
... 1.The client is my Web Server. ... By default dblibrary applications will send the connection string in the ... not encrypted unless you specify the client use "force protocol encryption". ... establishing a connection to SQL Server using Standard Security. ...
(microsoft.public.sqlserver.security)
Re: Moved website and now ASP doent work with access?
... > Did you update your connection string for the database? ... The site is mostly html files and the search is asp. ... >>backend is an access database. ... >> The new server IIS has the FrontPage, ASP, and CGI enabled. ...
(microsoft.public.frontpage.programming)