What's the best method for securing connectionstring information in an app.config file for deployed winforms applications?
+3
A:
The most secure way (assuming Windows clients and a supported database server) is to use integrated authentication, and avoid distributing passwords with connection strings at all.
Data Source=servername;Initial Catalog=dbname;Integrated Security=SSPI;
Each user will need access to the database server. I've found the easiest way to do this is with active directory groups - give the group appropriate access on the database server, and add and remove users from that group as needed.
Michael Petrotta
2010-03-04 05:07:52
+3
A:
Encrypt it, either manually or using the config tool distributed with EntLib.
Edit: of course, as others have said, using integrated security is your best bet, but I understand that there are times that this is not an option.
In these cases, you will need to do a little extra work. I have done it before and know it works. I will link to an article that describes the challenges and ultimately the working solution for doing this with windows applications.
warning: put on some sunglasses before clicking this link.
http://guy.dotnet-expertise.com/PermaLink,guid,b3850894-3a8e-4b0a-aa52-5fa1d1216377.aspx
Sky Sanders
2010-03-04 05:08:47
I use this method for my web apps, but how does encrypting the connection string work with a deployed windows app. The keyfile used to encrypt the connectionstring will need to be deployed with the application to decrypt the connectionstring. Which means anyone could decrypt it?
Bruce Adams
2010-03-04 05:27:00
@Bruce - by deployed, you mean at large, in the wild?
Sky Sanders
2010-03-04 05:44:57
Yes. Say an app with a Sqlce database.
Bruce Adams
2010-03-04 05:59:45
@bruce - then the second link should help you accomplish this and avoid some of the rough edges involved in doing so. And r.e. sqlce - I would definitely suggest to check out http://sqlite.phxsoftware.com/. If the capabilities meet your needs it blows SqlCE out of the water.
Sky Sanders
2010-03-04 06:11:16
A:
For Winforms : Check this question : How to encrypt connection string in WinForms 1.1 app.config?
Shoban
2010-03-04 05:42:33
A:
It really depends on how you expect someone to get at the connection string. If your worried about just the users of your app (who aren't developers) just encrypt the connection string and put the encrypted string in a constant in your app. Use the key at runtime to decrypt the encrypted string you used for the constant and then obfuscate your code before you deploy it. Is this fool proof? Of course not but it will probably stop 99.9% of people from getting your connection string. They would have to disassemble your code and get the encrypted string first and then they would have to have access to the key. If your worried about developers then the above solution would work just as long as they don't have access to source code in production and possibly the key used to encrypt the connection string. Sure someone has to put in the connection info but only give that person access to it. Hope this helps.