ExamGuru IT/.Net Guru : web.config connection string? on ASPFriends.com 'aspngsec' list

.NETGURU

web.config connection string?

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngsec' list.

Arman Kurtagic

In the web.config file to store the database connection string it exposes
cleartext password to sensitive database. Like this

<appSettings>
<add key="DBI.ConnectionString"
value="Provider=OraOLEDB.Oracle.1;Password=mypass;Persist Security
Info=True;User ID=me;Data Source=SGUCode;"/>
</appSettings>
******************************

Is there any another solution that does not expose the password in cleartext.

Thanks

//Arman

Reply to this message...

TIM ELLISON

The connection string in a pure ASP app or COM+/ASP application would be
stored either in the registry, hardcoded in the component and I'm sure
probably other more inventive places.

But what it boils down to is the config file cannot be served up through IIS
and a person managing a production box is going to at least have admin privs
on the server and should be of sufficient trust level to know the
username/password to the database server in the first place.

The way we're handling this is we have a Configuration Manager role whose
responsibility is installing and configuring web sites. During development,
the web.config file points to a development database server.

At deployment, the CM changes the username, password, server, database to
the production database.

Since only the CM has rights to the web directory for accessing web.config,
the username and password are not exposed to everyone else.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address

-----Original Message-----
From: Arman Kurtagic [mailto:Click here to reveal e-mail address]
Sent: Friday, June 28, 2002 3:16 AM
To: aspngsec
Subject: [aspngsec] web.config connection string?

In the web.config file to store the database connection string it exposes
cleartext password to sensitive database. Like this

<appSettings>
<add key="DBI.ConnectionString"
value="Provider=OraOLEDB.Oracle.1;Password=mypass;Persist Security
Info=True;User ID=me;Data Source=SGUCode;"/>
</appSettings>
******************************

Is there any another solution that does not expose the password in
cleartext.

Thanks

//Arman

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Emil Kvarnhammar

Hi Arman,

Take a look at the aspnet_setreg.exe tool from Microsoft. It helps
you store the credentials encrypted in the registry instead.

Good luck,

Emil

Reply to this message...

ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification

Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews

.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT

Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project

FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.

Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials

	Copyright © ExamGuru, Inc. 2001-2006
	Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification