tags:

views:

105

answers:

4
+6  Q: 

C# & SQL Server Authentication

Hello,

I'm currently developing a C# app with an SQL Server DB back-end. I'm approaching the point of deployment and hitting a problem. The applicaiton will be deployed within an active directory network. As far as SQL authentication goes, I understand that I have 2 options - Windows Authenticaiton or Server Authenticaiton.

If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable.

Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly. Whilst this is ok, it also means that they can easily connect to the database themselves via other means and directly alter the data outside of the app.

I'm guessing there is someting really obvious I'm missing here, but I've been googling all evening to no avail. Any advice/guidance would be much appreciated!

Peter

Addition - my project is Windows Form based not ASP.NET - is encrypting the app.config file still the right answer? If it is, does anyone have any examples that are not ASP.NET based?

+3  A: 

you can encrypt the username and password in the config file

http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx

SQLMenace  2010-05-26 20:55:32
What kind of encryption is used and where is the key of the encryption stored?
Henri  2010-05-26 20:57:37
A: 

Easiest option would be to store the username and password in the web.config, then encrypt them

Eric Petroelje  2010-05-26 20:56:38
Most of the articles I'm reading seem to use encryption for web projects (ASP.NET), but my project is a windows form. Can the same principles be applied or is there something else I need to look at?
Peter  2010-05-26 21:01:03
@Peter Greenall: works for any .NET app - I've used it for console apps, Winforms, ASP.NET - it's **not** limited to ASP.NET, even though most samples are ASP.NET
marc_s  2010-05-26 21:03:00
+3  A: 

If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable.

You could always create a connection string in your app.config and encrypt that connection string section. This works for ASP.NET as well as for console apps, Winforms apps, WPF apps - it's a .NET base technology, really.

See Jon Galloway's Encryping Passwords in a .NET app.config for a non-ASP.NET sample of how to do this.

Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly.

Yes - but you can ease the burden:

  • you can authenticate a Windows / AD group - everyone who's a member of that group has access - no need to individually permissions each user

  • if you use views for data retrieval and stored procs for insert / update / delete, you won't even need to give those users direct table access and you can shield your database from inappropriate manipuluation

marc_s  2010-05-26 20:56:45
A: 

You can always encrypt the data in app.config.

This link has more information.

Alan  2010-05-26 20:57:10

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?