securing connectionstring [duplicate]

This question already has answers here: Closed 10 years ago.

Possible Duplicate:

How to encrypt connection string in WinForms 1.1 app.config?

What's the best method for securin开发者_StackOverflow社区g connectionstring information in an app.config file for deployed winforms applications?

reference

---

The most secure way (assuming Windows clients and a supported database server) is to use integrated authentication, and avoid distributing passwords with connection strings at all.

Data Source=servername;Initial Catalog=dbname;Integrated Security=SSPI;

Each user will need access to the database server. I've found the easiest way to do this is with active directory groups - give the group appropriate access on the database server, and add and remove users from that group as needed.

---

Encrypt it, either manually or using the config tool distributed with EntLib.

this should get you started.

Edit: of course, as others have said, using integrated security is your best bet, but I understand that there are times that this is not an option.

In these cases, you will need to do a little extra work. I have done it before and know it works. I will link to an article that describes the challenges and ultimately the working solution for doing this with windows applications.

warning: put on some sunglasses before clicking this link.

http://guy.dotnet-expertise.com/PermaLink,guid,b3850894-3a8e-4b0a-aa52-5fa1d1216377.aspx

---

It really depends on how you expect someone to get at the connection string. If your worried about just the users of your app (who aren't developers) just encrypt the connection string and put the encrypted string in a constant in your app. Use the key at runtime to decrypt the encrypted string you used for the constant and then obfuscate your code before you deploy it. Is this fool proof? Of course not but it will probably stop 99.9% of people from getting your connection string. They would have to disassemble your code and get the encrypted string first and then they would have to have access to the key. If your worried about developers then the above solution would work just as long as they don't have access to source code in production and possibly the key used to encrypt the connection string. Sure someone has to put in the connection info but only give that person access to it. Hope this helps.