堆栈内存溢出
  简体   繁体   English

web.config带有asp.net mvc网站的数据库连接字符串。 数据库和站点在同一服务器上。 需要安全性吗?

[英]web.config with db connection string for asp.net mvc site. DB and site on same server. Need security?

 原文  2019-04-06 04:40:45       c#/ asp.net/ asp.net-mvc/ database/ web-config

问题描述

I've read so much about encrypting web.config file, encrypting only the db string or having a completely separate file for the db connection string. 我已经阅读了很多有关加密web.config文件,仅加密数据库字符串或具有完全独立的数据库连接字符串文件的知识。

I also know that there is enough material on the net, but i couldn't find an exact answer. 我也知道网上有足够的资料,但是我找不到确切的答案。

Is there a need to secure the web.config somehow of my asp.net mvc app when db and site are hosted on the same server? 当数据库和站点托管在同一服务器上时,是否需要以某种方式保护我的asp.net mvc应用程序的web.config?

If so, what is best practice? 如果是这样,什么是最佳做法? Since this is about security I do worry a bit. 因为这是关于安全性的,所以我确实有些担心。

1 个解决方案

解决方案1
 1 已采纳  2019-04-06 07:24:31

I would answer on basis what's going in my organization. 我将根据组织的情况进行回答。 It is not recommended anymore to store the db connection strings in config of appsettings.json file. 不建议再将db连接字符串存储在appsettings.json文件的config中。 Our auditors are constantly browsing through the repos to check if someone does that. 我们的审计师会不断浏览回购协议,以检查是否有人这样做。

As a best practice, we put the connection string in azure keyvault. 作为最佳实践,我们将连接字符串放入azure密钥库中。 It takes care of encrypting while storing and decrypting while fetching. 它负责在存储时进行加密和在获取时进行解密。 If you don't want to use third party solutions, you can still be fine if you take care of a few things - 如果您不想使用第三方解决方案,那么只要注意以下几点,还是可以的-

  • Encrypt the password or whole connection string and keep the key only in code (not in config) 加密密码或整个连接字符串,并仅在代码中保留密钥(不在配置中保留)
  • If your database is on same server, then you can totally disable sql server authentication and use only windows authentication. 如果数据库位于同一服务器上,则可以完全禁用sql服务器身份验证,而仅使用Windows身份验证。 This will make it harder for someone from outside to crack. 这将使外界很难有人破解。
  • One step further from step 2, try to disable TCP/IP from SSCM and use named pipes only. 与步骤2相比,应采取进一步的措施,尝试从SSCM禁用TCP / IP并仅使用命名管道 Then it's not possible for anyone to connect to your db from outside your machine. 这样一来,任何人都不可能从计算机外部连接到您的数据库。

There are many more things that can go wrong if you have not properly configured security in your application. 如果您没有在应用程序中正确配置安全性,还有很多其他事情可能会出错。 If your service account is compromised, even third point can't save your db. 如果您的服务帐户被盗用,即使第三点也无法保存您的数据库。 I would suggest continue reading on this and treat this as a never ending list. 我建议继续阅读,并将其视为永无止境的清单。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 每当在ASP.NET MVC的web.config文件中编辑连接字符串时,我都会收到内部服务器错误 - I get Internal Server Error whenever editing connection string in ASP.NET MVC's web.config file 在 ASP.NET MVC 的 web.config 文件中找不到我的连接字符串标记 - Can't find my connection string tag in web.config file in ASP.NET MVC ASP.Net的web.config中的连接字符串问题 - connection string issue in web.config of ASP.Net 在ASP.Net Web.config中加密数据库连接字符串 - Encrypt database connection string in ASP.Net Web.config 从asp.net中的Web.config获取连接字符串 - Get Connection String from Web.config in asp.net web.config中的asp.net连接字符串问题 - asp.net connection string problem in web.config ASP.NET web.config中SQL Server本机客户端的连接字符串 - Connection string for SQL Server native client in ASP.NET web.config ASP.NET 5 MVC 6中的web.config - web.config in ASP.NET 5 MVC 6 ASP.NET站点中的代码与配置文件中的SQL Server连接字符串 - SQL Server connection string in code vs config file in ASP.NET site 当我尝试访问它时,空白的asp.net站点显示web.config错误 - blank asp.net site shows web.config error when i try to access it
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM