I was referring to application ids having access to the database, not users. Also, the aspnet client would have to have access to read the directory, not the user. This probably is not a good solution for client applications.
Tracy Vanas Application Services Ph: 989-496-6551 Fax: 989-496-8017 Email: [EMAIL PROTECTED] -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Pardee, Roy Sent: Thursday, December 09, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string But won't your users need read on the udl files in order for YourCompany.Data.dll to open them for parsing? In which case they can just open them up manually in notepad & you're back where you started? I agree w/the other posts that integrated security is a better way to go. Chances are there's already a windows networking group that contains 99% of the users of your app. Your net admins can either add the other 1% of users individually, or create a new networking group for you to use, and add the pre-existing group to it, plus any additional users. If you can tell what the heck I'm trying to say... Another benefit is that when someone's role changes in the company & they no longer need to use the app, you don't need to worry about revoking two separate sets of perms--one for files & another for your app. *And* users won't need to deal with another login screen, which they like, but you can still use current_user() in t-sql to get the username of the actual person who owns the connection. Cheers, -Roy -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 8:45 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string Tracy, This is a most excellent idea. A little bit of work, but a flexible solution that can be reused over and over. What do you mean by "the developer at most only knows the development password"? Cheers, Eddie -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Tracy Vanas Sent: Thursday, December 09, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string You could store the connect string in udl files in a secure directory on your servers. The DBAs only could have access to these files to change the passwords periodically. You could then write a common method (YourCompany.Data dll or something) to retrieve and parse the udl file and return in connection string format the caller. This way the developer at most only knows the development password. This is one method. Hope it helps. Tracy Vanas Application Services Ph: 989-496-6551 Fax: 989-496-8017 Email: [EMAIL PROTECTED] -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: [ADVANCED-DOTNET] How and where to store securely a database connection string I would like to hear about different options to securely store a database connection string. In the past we used to hard code it but that meant that we will never be able to change it unless we were ready to recompile the hole application/system (or at least parts of it). With .NET the app.config file is an easy place to put it. It's convenient because you can change it with a simple text editor (Notepad). You don't need to recompile your application, a restart would be enough (ASP.NET doesn't even need that). However, it's not really secure because everyone can have access to it. Is there a way to encrypt the app.config or at least parts of it? I guess I could encrypt the connection string and store it in the app.config. I could include the decryption algorithm in my app but then I would need a different application to be able to decrypt the string, change it and encrypt it back into the app.config. I am really curious about what are different options here. All the best, Eddie =================================== This list is hosted by DevelopMentor(r) http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com
