Re: Encryption of application configuration block
- From: "Dave Sexton" <dave@jwa[remove.this]online.com>
- Date: Wed, 19 Jul 2006 12:42:53 -0400
Hi Steven,
If your trying to protect an Sql login password then instead create an Sql
login with only those permissions that are required by your application.
This way your users can see the password but can't do anything to the
database that they can't already do from your application.
Another, more secure option is to use Windows authentication and configure
access to Sql Server objects based on the current users' Windows account.
Set the connection string property "Trusted_Connection=Yes" and configure
access to Sql Server objects on a per-user basis.
If your really must encrypt your connection strings here are some links,
however note that configuration encryption is intended for applications that
reside on a server and not applications that are frequently deployed to
client machines:
Securing Connection Strings
http://msdn2.microsoft.com/en-us/library/89211k9b.aspx
Protected Configuration
http://msdn2.microsoft.com/en-us/library/53tyfkaw.aspx
- Dave Sexton
"Steven Cliff" <stevecliff@xxxxxxxxxxxxxxxxx> wrote in message
news:15AF19BB-47FC-43EB-A0A5-4248FBD1D401@xxxxxxxxxxxxxxxx
I have started to use the new Enterprise Library (Jan 06) and have set up a
skeleton project using the DAAB. This all seems to work fine apart from
when
I come to secure the app.config file via encryption.
I have encrypted the connectionsettings block in the config file but
obviously when I come to deploy the solution to other PC's, it cannot read
the block as it doesn't have the keys to decrypt.
I understand that as far as ASP.NET goes this is ok as the data layer is
most likely going to be on the web server, but for my winforms solution I
somehow have to let the user read this encrypted block?
I have even gone as far as to store all the connection information
elsewhere
in the app.config file using other encryption routines, then letting the
application read these on startup and dynamically add a new connection
string
in to the DAAB. Unfortunately this doesn't work either as the app.config
appears to be cached when the application starts and you cannot get
framework
2.0 to "refresh" the app.config without exiting the application and
restarting.
I even had a go at this too! (Starting to pull my hair out now!) but of
course that gives a problem for developers in that unless we have
different
app.config's for development and deployment (never a good move as it's
bound
to get screwed up somewhere!) then the application simply re-copies the
main
app.config everytime it starts up in debug mode so you get stuck in a
viscious circle!
I really think i must be missing something somewhere as at the moment it
appears that if you need to make the app.config secure when deployed, you
cannot use the new Enterprise Libraary DAAB at all!
(I've also tried to use RSA encryption as well - but could not find out
how
to export the RSA keys from a Winforms application as opposed to an
ASP.NET
web site).
And help or advice would be much appreciated to help save my sanity!
--
Thanks!
.
- Follow-Ups:
- Re: Encryption of application configuration block
- From: Steven Cheng[MSFT]
- Re: Encryption of application configuration block
- Prev by Date: Re: How to pass content of aspx to method
- Next by Date: Re: Error with Visual Studio 2003
- Previous by thread: Re: How to pass content of aspx to method
- Next by thread: Re: Encryption of application configuration block
- Index(es):
Relevant Pages
|
