tags:

views:

759

answers:

3
+10  Q: 

What is the best way to centralize and secure connection strings?

What is the best way to centralize and secure the connections strings used by applications? In my environment we have many internal applications. Each application requires one or more connection strings in order to access the database. We have a goal of centralizing all these connection strings (particularly SQL logins and passwords) so we could change passwords in one place instead of in 35 different .config files, registry entries etc.

Currently we are using a home grown component which pulls the connection string information from an access database, this covers the centralization requirement but isn't particularly secure. In addition we have applications written in languages from classic asp, vb6, delphi, c++, .net so the solution would need to be usable by all those applications.

Does anyone have an idea of how to do this better, or do we need to rework our whole approach to the way our applications access the database.

+1  A: 

The company I work for has used a similar situation through a SQL Server database instead. We ended up creating a COM-compliant .net dll to simplify and secure the API into the database and to ensure that the same logic is used between classic asp, .Net, and DTS packages. It has worked out great for us for year and while there are some refactoring items a lot of us would like to do with it, it's been great to address issues like server migrations or renamings.

I think you are on the right path; however, I would recommend the following changes:

  • Try to move to a true database server. Access is great for MS Office but not for something of this scale.
  • Build an administrative console that allows for auditing of who is adding and editing information (secure who has access to what settings too).
  • Build a COM-compliant DLL so that it can be consumed by other systems in a secure and consistent manner.

EDIT:

Something that I have noticed after working years in a system like this is that it ties your hands slightly on some solutions. Many tools out there (i.e. nHibernate, Elmah, etc. in the .Net world) really are limited when the connection string is no longer in the config files. Many can be easily modified to use your API; however, it is something that takes more time to investigate if you want to use it. Just a FYI on that.

JamesEggers  2008-11-25 15:22:06
A: 

Is it not possible to move to Window Integrated Security in the connection strings, then you do not have to worry about the security aspect as much (unless you need to secure the actual location of the connection I guess).

Andrew Cox  2008-11-25 15:26:39
+1  A: 

You can use Windows server to create users that are allowed to access your SQL Server database. Then you can use integrated windows login in connection strings.

BTW Storing passwords in public MDB renders them irelevant. Same as they don't exist.

dmajkic  2008-11-25 16:06:51
This is a much better idea than a connection string repository. A COM component is not inherently secure as an attacker isn't obliged to use it. If the COM component can access your repository, so can any other process.
Peter Ruderman  2009-11-16 22:24:59

related questions

With System.Data.SQLite how do you specify a database file in the connect string using a relative path
Connections will not close when using Transaction Binding=Explicit Unbind; in connection string
Sql Server 2005 only accessible in ASP.NET 1.1 when I specify protocol and port
What is the connection string for odbc connections?
Accessing SQL on a different port number (classic ASP connection string)
Where does ConfigurationManager ConnectionStrings get its value?
Connection string hell in .NET / LINQ-SQL / ASP.NET
Abstracting data connection layers and presentation layers in an enterprise application
Connect MS Access to SQL Server Compact database using ADO
SQL Reporting Services DataConnection Update
How do I set the login info for SQL Server 2008 in Entity Framework?
Are there any classes (or methods) that can create a formatted connection string, given a provider name and user id, password etc?
C# Retrieving correct DbConnection object by connection string
How can I connect to an Oracle database as SYS using an ADO connection string?
Is there a difference between (local), '.' and localhost?
How do you specify the port number in a oledb connection string to SQL server 2005?
Point ADO.Net DataSet to different databases at runtime?
Connectionstring error after encypted using aspnet_regiis.exe
OLEDBConnection.Open() generates 'Unspecified error'
Prompt for Database Connection String
Runtime Configuration in .Net (specifically the EntLib)
[ADO.NET] What's the deal with |Pipe-delimited| variables in connection strings?
Fast database access test from .Net
SharePoint - Connection String dialog box during FeatureActivated event
What is the best way to store connection string in .NET DLLs?