Re: Encryption of application configuration block
- From: "Dave Sexton" <dave@jwa[remove.this]online.com>
- Date: Thu, 20 Jul 2006 11:54:25 -0400
Hi Steven,
Another, more secure option is to use Windows authentication andThis would potentially help (although I still don't like potential hackers
configure
access to Sql Server objects based on the current users' Windows account.
being told exactly what database we are using on which server - I'd prefer
as
little info as possible to be shown!).
...
We only have a single SQL login per application
and manage the user roles etc. within the application itself. This means
that
connection pooling kicks in for the whole domain.
Hackers that have access to your .config files would find out where your
database is regardless. Using a single SQL login makes it less secure.
"Steven Cliff" <stevecliff@xxxxxxxxxxxxxxxxx> wrote in message
news:B0F31DBB-B3DB-4BB7-864E-FDDB45506AF4@xxxxxxxxxxxxxxxx
Thanks for the reply Dave.
If your trying to protect an Sql login password then instead create anThis causes us a problem in that we do not want users triggering parts of
Sql
login with only those permissions that are required by your application.
the application out of order. E.G. A user has to have rights to delete X,
but
the application stops the user deleting X when Y exists. Without the
business
logic in the application the user could potentially play havoc with the
system.
Another, more secure option is to use Windows authentication andThis would potentially help (although I still don't like potential hackers
configure
access to Sql Server objects based on the current users' Windows account.
being told exactly what database we are using on which server - I'd prefer
as
little info as possible to be shown!). Unfortunately as soon as you follow
this route, the connection pooling feature of SQL becomes dramatically
less
used and performance drops. We only have a single SQL login per
application
and manage the user roles etc. within the application itself. This means
that
connection pooling kicks in for the whole domain.
note that configuration encryption is intended for applications thatHmm ... yep, that is the problem i am having :-(
reside on a server and not applications that are frequently deployed to
client machines:
What I can't believe is that if I wish to deploy Winforms applications out
to numerous desktops securely, then the DAAB of the Enterprise Library
cannot
be used? This sounds like I'm missing something - but the more I look in
to
it the more I'm beginning to believe that it's impossible! :-(
I'm stuck with reverting back to the old "SQLHelper" extensions or rolling
my own but after having spent a couple of weeks converting everything
across
to the new DAAB & DataFactory set up I'm reluctant to throw it all in the
bin.
If it *is* impossible to do this way, does anyone know of a way that I can
dynamically change the connection string in one of the new DataFactory
CreateDatabase statements? I.E. I could point the datafactory to a dummy
alias and then override the connection string with manually decyphered
information that I could hold elsewhere? That would mean I can still use
the
new datafactory routines, keep a secure app.config and deploy out to many
clients without problems.
.
- References:
- Re: Encryption of application configuration block
- From: Dave Sexton
- Re: Encryption of application configuration block
- Prev by Date: Need help - ClickOnce (mage.exe) question : option -MinVersion does not work ?
- Next by Date: 2.0: probally bug
- Previous by thread: Re: Encryption of application configuration block
- Next by thread: Re: Error with Visual Studio 2003
- Index(es):
Relevant Pages
|
Loading
