Server-side application configuration security. Best practices
We publish server-side application to our customer workstation and customer's security guys are concerned about configuration connection strings safety.
Connection strings are stored as plain text right now, but as configuration file is not in the public/shared folder we supposed that workstation security itself is enough.
What are the ways to improve connection strings security further?
It is a big step forward to encrypt password and keep a decryption key on the same workstation? What are the steps we can take to keep connection strings (and alike开发者_C百科) information more and more securable?
Thank you in advance!
First of all, why do you need to protect connection strings? If you store there user credentials then may be it is better to use "Integrated Security" (if possible)..? In addition you could restrict user rights on database level.
But if you're sure that you really need to encrypt something in config then check this
精彩评论