4

We have .net apps running on many machines now. The db connection string is stored it a settings XML file on each. Each application starts up and as a first step, loads this string from its settings file. It works fine, but if we ever had to change our login info, it would be a nightmare to find all the places we've stored it over the years. Further, with virtual machines, we're adding new machines all the time and it would be ideal to simply deploy the exes/dlls and have the app get the connection string automatically and securely.

I considered encrypting the string and putting it on our web server so the remote apps can fetch it via http and dns name and decrypt it but that's rather simplistic and since security is so important for this piece of info, I need to be very careful.

So the question is, how do you securely decimenate connection string to remote apps so upon startup they'll know to reach the db? Once they can do that, they can fetch addition settings from a configuration table in the database.

Improve this question
5
  • 1
    If the client is connecting directly to SQL with userid and password then that information is not secure. Consider a 3 tier architecture where the client connects to a business / data layer via WCF and then only the service connects to SQL. Commented Dec 20, 2012 at 14:11
  • Unfortunately rewriting mountains of code to add layer is not possible. Plus the same problem exists, how does the client securely know where the WCF server is and how does it authenticate in a transparent way? Commented Dec 20, 2012 at 14:17
  • 1
    No the same problem does not exists. A direct connection to SQL and commands like delete * and drop table is NOT the same a WCF service that returns data. WCF has many authentication options and is built for this. Commented Dec 20, 2012 at 14:30
  • Instead of putting the connection strng on every client, I'd be putting the WCF server details and authentication. I'd be in the same boat. What I want to solve is how store connection strings in one location securely and allow authenticated clients to fetch it by some common method. Commented Dec 20, 2012 at 18:35
  • Can't help you on how to authenticate if client cannot store information on where to authenticate. Commented Dec 20, 2012 at 19:08

1 Answer 1

Reset to default
3

What parts of your system do you trust? You have to trust the clients 100% because once they have the connection string (which they have to have) they can to anything to the DB that they want. You also have to trust the servers.

So it seems you are trusting everyone. That makes securing the system easy: It is already secure, no matter how you distribute the connection string.

I've seen a lot of superstitiousness when it comes to saving and distributing passwords and connection strings. Many people are uncomfortable having them sent and stored in the clear. That is irrational because the clients have do have it in the clear eventually. It is impossible to prevent that.

So my advice is: Make a simple webservice that provides the following API:

string GetConfigSetting(string name)

Clients can ask that service for the connection string. This service is so simple that its interface will probably never change.

There is little point bothering with encryption in this case. A client application can easily be decompiled to access any decryption routine. Also, the client has to decrypt the secret eventually. At this point an attacker controlling the client machine can read the secret in the clear.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@Nattrass, thanks for adding to my answer! Your edit was rejected but I added your content manually.
+1 for ´pointing out the serious mental break many have - any way you do this, at the end, you have to trust the clients. Point.Integrated security can fix at least users coming from other non trusted machines, but at the end, security here is impossible, so even trying it will not achieve a lot.
@TomTom integrated security might prevent seen a secret in the clear (not sure how that works internally). Good point. The attacker can still make the client app do what he wants to do by fiddling with its memory (its like operating on a brain to control its thoughts...).
Yes, but at least he HAS to use a AD user. No secret - it uses AD integrated security (ticket). But that does not stop the user from firing up access, for example, and do pure sql.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.