Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL
From: Richard Myers (fake_at_address.com)
Date: 11/09/04
- Next message: Mike Labosh: "App.Path"
- Previous message: Landley: "Re: MS Access and Web Forms"
- In reply to: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Next in thread: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Reply: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Nov 2004 10:47:44 +1300
Hi Cor,
Its just a general design strategy of reducing the attack surface of an application/security in
depth.
Often times people build these fortresses with really high walls but once your inside your free to
roam about the softest of centers. By encrypting the connection string (if it contains the username
and password of SQL logon account rather than integrated security) you create yet another defense
against attack.i.ebake security into every layer of your application right from the get go. Dont
rely on a single component for all aspects of security.
Just becuase they can hack a server doesn;t mean they access they can access the registry. But if as
in my previous post you are storing to the config file then they wont need too.
With respect to the registry, you might then say that if the server is breached such that the
attacker could access the registry then they might not even need the registry key to get at the SQL
data. You might be right, but given the simplicity of encryption in dotNet framework i see little
penalty for the encryption of a registry value and as a course of habit, to me it makes sense to do
it.
Its only got to prove its merit once.
Oao
Richard
"Cor Ligthert" <notmyfirstname@planet.nl> wrote in message
news:%23yYIyIkxEHA.2192@TK2MSFTNGP14.phx.gbl...
> Richard,
>
> I have seen this on MSDN as well. However I do not understand the last
> sentence, can you tell me why?
>
> >You shouldn't be storing the connection in your code. Store it in the
> >registry. If the data >is sensitive be sure and encrypt the string as
> >well.
>
> This implies for me that the registry of a Microsoft Webserver is insecure,
> even for people who are not able to decrypt a string.
>
> Cor
>
>
- Next message: Mike Labosh: "App.Path"
- Previous message: Landley: "Re: MS Access and Web Forms"
- In reply to: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Next in thread: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Reply: Cor Ligthert: "Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
