Best place to put ConnectionString like values

Question

I guess that has been asked quite a few times. But I couldn't find what I am looking for, so I am gonna ask again.

Can sensitive values be placed in machine.config or another configuration file which is located in another place on my server?

My scenario is that, I have to access to a db in all my applications which are located on the same server. And I really want to remove that connection string to this particular database in web.config file. Maybe it's possible to reference another config file in my web.config, and that config file is located in another place (other than the web folder) in my server, where my clients cannot access using ftp?

Just a thought!

Answer 1

Here is what Microsoft recommends for protecting Connection Strings in .NET 4.5:

http://msdn.microsoft.com/en-us/library/89211k9b%28v=vs.110%29.aspx

You should use Windows Authentication, Encrypt the connection string etc. This is a pretty safe approach.

If you want something more creative you could build a secure service to provide connection strings to your applications. Those connection strings would be stored in a different data-store, and again would be encrypted. Azure uses a similar approach with connection strings. They are stored in a separate "Windows Azure Web Sites configuration store":

http://azure.microsoft.com/blog/2013/07/17/windows-azure-web-sites-how-application-strings-and-connection-strings-work/

Answer 2

I would not say this is the "best" as it does not take into consideration security etc, however it answers your question.

ASP.Net Configuration files have a hierarchy and support inheritance, you can define settings at various levels within your application and those settings will be applied in an inheritance hierarchy.

ASP.NET Configuration File Hierarchy and Inheritance

Answer 3

Encrypt your connection string and leave it in the web.config

Encrypt Connection String