AttachDBFile and how safe is plain username/password in web.config?

Discussion in 'Databases' started by jagsdesh, Nov 9, 2007.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. jagsdesh

    jagsdesh

    I already have got the add-on for SQL Server 2005 and able to connect using my sql server management server to the DB on DASP server.


    When I use username/password in Connectionstring I am able to connect to the DB and my application works.


    How safe is username/password in web.config on your asp.net server.


    I normally work on custom applications on local system and dont know what encrypt/decrypt procedures to use which is compatible on your servers.


    I think i should post it on asp.net and not on database.


    Thanks
     
    jagsdesh, Nov 9, 2007
    #1
  2. Bruce

    Bruce DiscountASP.NET Staff

    It is 'relatively' safe.


    1) Internet user cannot download the web.config file directly using their browser. This is blocked at the IIS level


    2) Other users on the server should not have permission to your web.config file.


    If you are really concerned about security, I recommend you encrypt the connection information in the web.config file. This is a rather complex process though. See
    http://kb.discountasp.net/article.aspx?id=10478

    Bruce

    DiscountASP.NET
    www.DiscountASP.NET
     
    Bruce, Nov 9, 2007
    #2
  3. jagsdesh

    jagsdesh

    I attached a SQLServer Express Database and I am able to connect to it using the SQL Server Management Studio.


    My connectionstringin VS 2005 was



    <add name="LocalSqlServer" connectionString="Data Source=COMPUTERNAME\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|DBFILENAME.mdf"/>


    In discountasp.net can we only use it username/password and or can we use it using the AttachDBFileName
    If we use username/password in plain text, how safe is it? Do we need to encrypt?


    What do you normally suggest to your clients?


    My DB is the app_data folder of my website.


    Thanks in advance
     
    jagsdesh, Nov 9, 2007
    #3
  4. raymondp

    raymondp

    Because of SQL Express poor security and performance issues, we do not support SQL Express on our hosting environment. If you have not already done so, you will need to get the SQL 2005 addon to your account.

    rcp
    DiscountASP.NET
    www.DiscountASP.NET
     
    raymondp, Nov 9, 2007
    #4
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page