C#和SQL Server身份验证
[英]C# & SQL Server Authentication
问题描述
I'm currently developing a C# app with an SQL Server DB back-end. 
我目前正在开发一个带有SQL Server DB后端的C#应用程序。 I'm approaching the point of deployment and hitting a problem. 我正在接近部署点并遇到问题。 The applicaiton will be deployed within an active directory network. 应用程序将部署在活动目录网络中。 As far as SQL authentication goes, I understand that I have 2 options - Windows Authenticaiton or Server Authenticaiton. 就SQL身份验证而言,我知道我有两个选项--Windows Authenticaon或Server Authenticaiton。
If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable. 如果我使用服务器身份验证,我担心帐户的用户名和密码将以纯文本形式存储在app.config文件中,因此会使数据库容易受到攻击。
Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly. 使用Windows Authenticait将避免此问题,但这意味着为组织内的每个成员提供对数据库的读/写访问权限,以便正确运行应用程序。 Whilst this is ok, it also means that they can easily connect to the database themselves via other means and directly alter the data outside of the app. 虽然这没关系,但这也意味着他们可以通过其他方式轻松连接到数据库,并直接更改应用程序外部的数据。
I'm guessing there is someting really obvious I'm missing here, but I've been googling all evening to no avail. 我猜这里有一些非常明显的我在这里失踪,但我整晚都在谷歌搜索无济于事。 Any advice/guidance would be much appreciated! 任何建议/指导将不胜感激!
Peter 彼得
Addition - my project is Windows Form based not ASP.NET - is encrypting the app.config file still the right answer? 另外 - 我的项目是Windows Form而不是ASP.NET - 加密app.config文件仍然是正确的答案? If it is, does anyone have any examples that are not ASP.NET based? 如果是,是否有人有任何不基于ASP.NET的示例?
4 个解决方案
解决方案1
3 2010-05-26 20:55:32
you can encrypt the username and password in the config file 您可以在配置文件中加密用户名和密码
http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
解决方案2
3 已采纳 2010-05-26 20:56:45
If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable.
You could always create a connection string in your app.config and encrypt that connection string section . 您始终可以在app.config中创建连接字符串并加密该连接字符串部分 。 This works for ASP.NET as well as for console apps, Winforms apps, WPF apps - it's a .NET base technology, really. 这适用于ASP.NET以及控制台应用程序,Winforms应用程序,WPF应用程序 - 它实际上是.NET基础技术。
See Jon Galloway's Encryping Passwords in a .NET app.config for a non-ASP.NET sample of how to do this. 有关如何执行此操作的非ASP.NET示例,请参阅.NET app.config中的Jon Galloway的加密密码 。
Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly.
Yes - but you can ease the burden: 是的 - 但你可以减轻负担:
you can authenticate a Windows / AD group - everyone who's a member of that group has access - no need to individually permissions each user
您可以对Windows / AD组进行身份验证 - 每个成为该组成员的人都可以访问 - 无需为每个用户单独授予权限 if you use views for data retrieval and stored procs for insert / update / delete, you won't even need to give those users direct table access and you can shield your database from inappropriate manipuluation
如果您使用视图进行数据检索和存储过程进行插入/更新/删除,您甚至不需要为这些用户提供直接表访问权限,您可以保护数据库免受不适当的操作
解决方案3
0 2010-05-26 20:56:38
最简单的选择是将用户名和密码存储在web.config中,然后加密它们
解决方案4
0 2010-05-26 20:57:10
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.