views:

120

answers:

2

I am accessing an SQL Server database using Windows Authentication

  1. Do I need to encrypt the connection string in the web.config?
  2. Does the name of the connection string (or database) matter in terms of security? (viz: ApplicationServices?
+3  A: 
  1. No. It would be useless. When using Windows Authentication your app is connecting as the user that opens the DBConnection from code, typically network service if it's a web app.

  2. No, unless the name is also your domain admin password.

EDIT: In a crazy world where the name of your database server was secret, then maybe it would make sense to encrypt the connection string.

klausbyskov
+3  A: 

I disagree with klausbyskov. I would encrypt your connection string regardless. Sure, the server name is really all that is being exposed. But that at least puts a target out there. Encrypting the connection string would remove that target.

Knowing is half the battle.

As far as the connection string name, I'd just keep it vague, and not name it the name of your production database server or anything like that.

Aaron Daniels
I agree. Encrypting web.config sections is cheap and supported by various management tools (unlike, say, encrypting app.config sections...). And there are other benefits besides hidding the server/database names: 1) the connection string cannot be changed in web.config to hijack the application and 2) the fact that SSPI is used is also hidden.
Remus Rusanu
Is it encrypting or obfuscating? If someone can read a web.config, you've lost already, no, because your code is available to reverse engineer?
gbn