6

I'm currently developing a C# app with an SQL Server DB back-end. I'm approaching the point of deployment and hitting a problem. The applicaiton will be deployed within an active directory network. As far as SQL authentication goes, I understand that I have 2 options - Windows Authenticaiton or Server Authenticaiton.

If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable.

Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly. Whilst this is ok, it also means that they can easily connect to the database themselves via other means and directly alter the data outside of the app.

I'm guessing there is someting really obvious I'm missing here, but I've been googling all evening to no avail. Any advice/guidance would be much appreciated!

Peter

Addition - my project is Windows Form based not ASP.NET - is encrypting the app.config file still the right answer? If it is, does anyone have any examples that are not ASP.NET based?

Improve this question
3
  • Is this a winforms application? Commented May 26, 2010 at 21:00
  • Yes it is a winforms application Commented May 26, 2010 at 21:10
  • 1
    updated my answer with a link to a generic .NET sample of how to encrypt an app.config (not web.config) file for protection Commented May 26, 2010 at 21:19

4 Answers 4

Reset to default
3

If I use Server Authentication, I'm concerned that the username and password for the account will be stored in plain text in the app.config file, and therefore leave the database vulnerable.

You could always create a connection string in your app.config and encrypt that connection string section. This works for ASP.NET as well as for console apps, Winforms apps, WPF apps - it's a .NET base technology, really.

See Jon Galloway's Encryping Passwords in a .NET app.config for a non-ASP.NET sample of how to do this.

Using Windows Authenticaiton will avoid this issue, however it would mean giving every member of staff within our organisation read/write access to the database in order to run the app correctly.

Yes - but you can ease the burden:

  • you can authenticate a Windows / AD group - everyone who's a member of that group has access - no need to individually permissions each user

  • if you use views for data retrieval and stored procs for insert / update / delete, you won't even need to give those users direct table access and you can shield your database from inappropriate manipuluation

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

you can encrypt the username and password in the config file

http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx

Improve this answer

1 Comment

What kind of encryption is used and where is the key of the encryption stored?
0

Easiest option would be to store the username and password in the web.config, then encrypt them

Improve this answer

2 Comments

Most of the articles I'm reading seem to use encryption for web projects (ASP.NET), but my project is a windows form. Can the same principles be applied or is there something else I need to look at?
@Peter Greenall: works for any .NET app - I've used it for console apps, Winforms, ASP.NET - it's not limited to ASP.NET, even though most samples are ASP.NET
0

You can always encrypt the data in app.config.

This link has more information.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.