tags:

views:

153

answers:

4
+4  Q: 

What is the most secure way to connect a ASP.NET 3.5 web application and SQL Server database?

I have a web application developed in .net 3.5, and a SQL Server database.

Current auth method is a connection string in web.config, it seems like a good idea to move the authentication details out of plain text.

So, I have two questions:

  1. Trusted Connection - The password policy here is strict, requiring frequent changes. Does this mean i'll have to update the password for the website every time it expires?

  2. Is there another/better option?

A: 

No, you won't have to keep changing the trusted connection details. You don't store the password there, so password changes won't affect you. (This is if you're using Basic Authentication, getting the users to connect to the SQL box as themselves)

But - if your application pool is running as a particular user, and that user has its password changed, you'll need to update that. You could consider having a user whose password doesn't expire for this.

Rob Farley  2009-10-19 01:38:03
Thanks - unfortunately i can't log in (open ID provider is blocked) so can't upvote
nailitdown  2009-10-19 02:09:26
That's odd. It recognises who you are to be able to comment, but not for upvoting (or presumably marking as an answer)?
Rob Farley  2009-10-19 02:19:24
yeah, this is just a guest account that i gave the same name as my regular one... it seems questions/comments are fine but no voting
nailitdown  2009-10-19 02:29:56
+1  A: 

I think putting the username/password is better simply because I don't want the user that runs my IIS server to have access to lots of databases. I would prefer to have it be focused, to where, for this application there is a user and that user has only access to this database.

You do need to be certain that your web.config file is secure, so you do need security on that.

If you want more security you could just use a dependency injection framework, and inject the compiled class that has the username/password, and just use that connection string. This class could be obfuscated, if you want some semblance of more security.

James Black  2009-10-19 01:45:14
cheers james - are you implying here that by using trusted/integrated security I won't be able to assign proper permissions for the db?
nailitdown  2009-10-19 02:10:52
@nailitdown - I think it is harder to lock down a database if you have one user having access to several databases, assuming you have several webapps on the same IIS server. I tend to be paranoid about things like this, probably moreso than most developers.
James Black  2009-10-19 02:16:03
+2  A: 

As an alternative to trusted connection you can look at this set of articles on how to encrypt your web.config.

In brief, if you invoke from command-line

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

section connectionStrings in the web.config of application SampleApplication from the default site will be encrypted using RSA.

elder_george  2009-10-19 01:55:17
That could work, but the password policy here would require i constantly update the web.config. (I suppose i could just ignore the policy and keep a single username/password pair, but that's not really my call....)
nailitdown  2009-10-19 02:12:08
A: 

Trusted connection isn't an option? A frequently changing password shouldn't be a limiting factor in your decision, since it's trusted you don't have to enter a password.

Another alternative is encrypting the connection string.

Si  2009-10-19 01:55:58
Right, so as a trusted connection, I'm trusting each authenticated user who connects to the website, and then connecting to the DB with their own account... is that correct?
nailitdown  2009-10-19 02:13:05
I believe you could also investigate impersonation, http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx. Also this might be useful info: http://stackoverflow.com/questions/382383/asp-net-impersonation-and-sql-server-trusted-connection-calls
Si  2009-10-19 03:21:58

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?