What is the best way to manage connection strings in a web application, from a security standpoint? I've done it several different ways. I've stored them as plain text web.config setting keys. I've also created a "Constants" class that has public read-only string properties for each connection string.
Does anybody have any recommendations for managing connections strings in such a way that I will have no concern about them being maliciously discovered? I am definitely open for encryption.
Storing the encrypted connection string in web.config file is a good practice.
you can encrypt your connection strings in your web.config file.
storing connection strings in a class as a property or a constant is not secure. anyone who uses a disassembler can see your connection string.
best way is the configuration encrypting.
You can encrypt and decrypt sections of your web.config by using the command line tool aspnet_regiis:
Encrypt: aspnet_regiis -pef "connectionStrings" "c:\folder\"
Decrypt: aspnet_regiis -pdf "connectionStrings" "c:\folder\"
@vartec: It's not quite a SNAFU..
IIS can indeed read encrypted text if you encrypt it using standard .NET encryption mechanism that won't break any UTF8 or Unicode encoding. Microsoft is also encouraging this as a best practice.
You can see a sample on encrypting connection string from this:
"How to: Secure Connection Strings When Using Data Source Controls"
If you have full control over the server you can also store the connection string in your Machine.Config. This can be handy if you have lots of applications which all work with the same DB server.
I'm not sure if its worth encrypting it since you have to access to the server in the first place to view the machine.config. And if your server's been compromised the Encyrption won't stop a hacker from pulling the credentials from the config file.