Ways to secure your MS SQL connection string in ASP .NET.
We have seen allot of people looking to have the best option to secure the connection string in their ASP .NET code to connect the MS SQL database since it contains the username and password of their database. It is very important to use a secure method for corporate clients and those who save Credit Card details in their MS SQL database. Or they will easily get hacked and all the important data will be exploited by the hacker. And also for those who store important data in MSSQL.
Here are the list of methods that can be used to secure your MS SQL connection string in your ASP.NET application.
METHODS:
1. Using a DSN connection string:
If you have the administrator users access to your Windows Server or use a control panel like Plesk then you can create a DSN with ODBC connector that stores the password of your database along with its name.
You will have to go to Start >> Administrative Tools >> Data Sources (ODBC) on your Windows Server with an account that has administrative privileges.
Or if you use a hosting control panel like Plesk that you can create the DSN from the control panel itself.
Once you have created the DNS you will have to mention it in your code as:
oConn.Open "DSN=mySystemDSN"
2. Store your connection string either in web.config or global.asa:
It is safe to have connection string stored in either web.config or global.asa, since IIS does not allow these files to be accessed from the browser. But it is recommended to enable custom errors in web.config or else the browser just displays the exact exact in the event of an error.
An example of web.config would be:
3. Encrypt your connection String stored in Web.config.
To make the connection string more secure you can encrypt your string if you application is written in ASP .NET 2 as this only possible with the new feature in asp.net 2.0 through the config API.
Steps to Encrypt your connection string in web.config:
– Create a connectionstring section in web.config :-
– Run the command below:
aspnet_regiis –pe -app optionally you can provide the machine or user store.
– Get the connection string:-
Response.Write(ConfigurationManager.ConnectionStrings
["Myconnstr"].connectionString.ToString());
– You can also encrypt:
– To decrypt the connection string use aspnet_regiis –pd with the same parameters.
– There are more option available, such as:
aspnet_regiis –pef
aspnet_regiis -pdf
4. Save the connection string in the Windows registry:
You can also save the connection string in the windows registry, the only problem here is you have to give appropriate permissions on the registry so that your web user is able to read the data fron the registry:
Procedure to follow:
Add a registry key for your application under SOFTWARE/[YOUR_COMPANY]/[YOUR_APP]
Add a string value for ConnectionString
Teach your ConnectionFactory to crack open the appropriate registry key (in a static constructor, not every page load).
Export the registry info as a .reg file, add it to source control, modify and apply it as necessary to set up additional machines.
You will also have to make sure that the user have appropriate rights on the register to read the data.
5. Save your connection string in a DLL.
You can also save the connection sting the to a DLL using Visual Studio but this includes few disadvantages like, you will gave to decrypt the DLL to make any changes in the connection string and then again encrypt it. This makes things very complicated for you to manage your applications and specially when you have a shared hosting package.
You must be logged in to post a comment.