How to solidly protect web.config
Question
maybe i am understanding it all wrong but as i understood the best way to protect your connection string is through encrypting it, now i got these questions.
Question 1:
will encryption work in shared hosting environment ?
Question 2:
if i have an FTP service can any user upload an ASPX file and retrieve the connection string through configuration manager namespace ?
3 answers
solution1
5 ACCPTED 2009-04-26 10:19:30
Question 1:
What are you protecting your connection string against?
If it's against hackers and such, if web.config is available for them, your system has already been compromised and nothing you can do will help you.
If it's against casual observers (ie the coders), even something simple as base64 encoding will help.
Question 2:
You shouldn't allow your users to upload files to a directory where aspx files can be executed - that way the users can do anything they want.
solution2
5 2009-04-26 10:21:01
1: I can't see why not.
2: Potentially, although you should be taking measures to prevent this. I find the best approach is to use windows authentication and set the identity of the app-pool to use a dedicated, locked-down, windows account in IIS. This way your connection string will never contain a password.
solution3
1 2009-04-26 10:57:26
Not an answer to your 2 questions, but: The best method for protecting connection string is not having such connection that requires password in connection string. NTLM or similar is much more secure. Other than that if users have access to FTP - encryption is so-called security by obscurity which can be easily reversed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.