Ladies and Gentlemen, For the purposes of an INTRANET application, how safe is it to store the SQL username and password into a web.config file? I am trying to get my ASP.NET app to work while the backend SQL database is on another server in the SAME domain.
I realized that I can make it work with computer account names as well as shown below: ********** I have two servers that support my application (in testing). Both are in the same domain, named SPL 1. An ASP.NET web server, named WEBDEV01 2. A SQL Server (on
separate hardware), name SQLDEV01 I created a Local group on SQLDEV01 called 'Database Access'. I've linked DATABASE ACCESS to a SQL login. I've added the computer account name, SPL\WEBDEV01$ to the local group. My application has a web.config file that has
a connection string using Integrated Security (SSPI), and Impersonation set to FALSE. The web server has anonymouse browsing disabled, as well as only using Window Integrated Authentication. Does anyone see any security risks in this architecture (to be implemented
within an intranet) ? ********** So the alternative to this would be setting up a SQL user, and passing that across from the web server to the SQL server to authenticate. Any risks to either solution?
Hi Rajiv, How about considering pt. 1. and 2.? It has some of the answers to your questions. And then make a judgment call. 1. Download the pdf Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=055FF772-97FE-41B8-A58C-BF9C6593F25E
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp 2. Read ASP.NET Security Intranet Security Internet Security Data Access Security How Tos Other chapters as well if you think they are related.
Where there is a will, there is a way.
and where there is a team, there is more than one way.
Hello The answer to "how safe is it to store the SQL username and password into a web.config file" depends on: 1) who has developer access to that server (i.e. create webpages and Aspx code) For example, unless you securely configured your web server anybody
that can execute code on the server (even if the code is executed in another website) will be able to read your web.config file. 2) how protected is the web server from the local network Answer this: do you have strong ACLs on the web folders? is the server
protected by a firewall? is the server locked down using an IPSec policy? has all the latest security patches being installed on the server? does the server has anti-virus software? If you don't use these techniques to protect your server, then an internal
malicious user could easily compromize the box and access your data. The fundamental problem with storing your database access in clear text in a web page is that it is an accident waiting to happen. And it doesn't matter how secure and lock-down your SQL
server is, when the passwords are discovered a malicous user will walk in by the front door. Just a couple aditional points: 1) don't use 'sa' as the SQL user (the 'sa' has administrative rights over the SQL server) 2) strore the SQL access codes in the registry
instead of clear text (and protect the registry) 3) securely configure the webserver and test its security to ensure that you got it right (I created tool called ANSA (Asp.Net Security Analyser) that does exactly this, see http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)
Hope this helps Best regards
rladva
Member
68 Points
19 Posts
Username and Password in web.config
Nov 14, 2003 09:48 PM|LINK
Phuoc
Participant
1150 Points
230 Posts
Re: Username and Password in web.config
Nov 16, 2003 12:14 AM|LINK
and where there is a team, there is more than one way.
ddplus
Member
425 Points
87 Posts
Re: Username and Password in web.config
Nov 21, 2003 02:58 AM|LINK
.NET Security Consultant
O2 Platform developer
http://o2platform.com