stackoom
  简体   繁体   中英

What is the most secure way to connect a ASP.NET 3.5 web application and SQL Server database?

 原文  2009-10-19 01:35:51       asp.net/ sql-server/ iis/ security

Question

I have a web application developed in .net 3.5, and a SQL Server database.

Current auth method is a connection string in web.config, it seems like a good idea to move the authentication details out of plain text.

So, I have two questions:

  1. Trusted Connection - The password policy here is strict, requiring frequent changes. Does this mean i'll have to update the password for the website every time it expires?

  2. Is there another/better option?

4 answers

solution1
 2  2009-10-19 01:55:17

As an alternative to trusted connection you can look at this set of articles on how to encrypt your web.config.

In brief, if you invoke from command-line 

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

section connectionStrings in the web.config of application SampleApplication from the default site will be encrypted using RSA.

solution2
 1  2009-10-19 01:45:14

I think putting the username/password is better simply because I don't want the user that runs my IIS server to have access to lots of databases. I would prefer to have it be focused, to where, for this application there is a user and that user has only access to this database.

You do need to be certain that your web.config file is secure, so you do need security on that.

If you want more security you could just use a dependency injection framework, and inject the compiled class that has the username/password, and just use that connection string. This class could be obfuscated, if you want some semblance of more security.

solution3
 0  2009-10-19 01:38:03

No, you won't have to keep changing the trusted connection details. You don't store the password there, so password changes won't affect you. (This is if you're using Basic Authentication, getting the users to connect to the SQL box as themselves)

But - if your application pool is running as a particular user, and that user has its password changed, you'll need to update that. You could consider having a user whose password doesn't expire for this.

solution4
 0  2009-10-19 01:55:58

Trusted connection isn't an option? A frequently changing password shouldn't be a limiting factor in your decision, since it's trusted you don't have to enter a password.

Another alternative is encrypting the connection string .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Ways to connect my asp.net application on my web server to a sql database on another server? ASP.Net web application connect to host SQL DataBase connect to sql server database from asp.net application Publishing ASP.Net Web application with SQL Server database installation How to create a SQL Compact 3.5 database for Windows Mobile in an ASP.NET web application? The secure way to return some value from database (SQL SERVER & ASP.NET) Secure login from ASP.NET 3.5/4.0 page to SQL database What is the most efficient way to perform the reverse of Server.MapPath in an ASP.Net Application ASP.NET 3.5 and SQL Server 2008 What is the most efficient way to get Active Directory properties for current user in ASP.NET 3.5?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM