Reputation: 13018
How to protect web.config connection string from other developers?
I have a requirement to protect my Web.config file from malicious users accessing our webserver & junior developers in team. I have used RsaProtectedConfigurationProvider to successfully encrypt & decrypt our file. However, decypting the connection string is as easy as accessing it from withing my application, no matter if it is encrypted or not
protected void btnShowConnectionString_Click(object sender, EventArgs e)
{
lblMessage.Text = WebConfigurationManager.ConnectionStrings["MyTestConnection"].ConnectionString;
}
How do I secure my connection string to avoid work arounds like these?
Upvotes: 0
Views: 261
Answers (3)
Reputation: 12341
IMHO, the "workaround" you are mentioning isn't really a workaround, rather, it is what it is.
Your application (web or otherwise), must be able to decyrpt the information so that i can actually make the connection. Unless you are using Windows Authentication to your SQL server, user/pwd are always "there"...the nagging question I have is why/how would such code exist in your application (in the first place)?
As noted above in previous answers, separate your development environment from production - perhaps only have production config transforms in production environment.
Upvotes: 1
Reputation: 28970
You can read this link about secure string connection, recommended solution by msdn
link : http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
Upvotes: 1
Reputation: 11964
You cannot do this with standard solutions.
To do such protection you should write your own wrapper around standard library using this connection string, that will decrypt connection string from webconfig. And you should protect your wrapper from decompiling with something like Sentinel Hasp. If you don't protect your wrapper it will be simple to get encryption algorithm and decrypt connection string.
But it will be simpler to do not write production connection strings to developers webconfig. Use developer enviroment for developing and write production enviroment connection strings when deploying to production enviroment.
Upvotes: 1
Related Questions
- Is it really possible to protect a connection string in app. config?
- Secure storing sensitive config data such as connection string
- How to protect the connectionstring in web.config?
- Protect central app.config
- How to solidly protect web.config
- can encrypt ConnectionString in web.config on development machine and deploy on server?
- How to encrypt (Connection String) webconfig on deployment? For security reason
- Suggested methods to secure connection strings with web.config transformations
- Is it safe to write connection string in web.config?
- How to secure connection strings in VS?