For the attacker to get the connection string, the attacker would need to dump the memory for the application, be it a Windows Service, Win32 application, or web-based application, and read through the memory dump looking for the connection string. However, it is much more difficult for the attacker. In either case, troubleshooting the application is made a little bit harder as the connection string is not easily visible without decrypting the connection string to ensure that the connection string is correct, which would require a separate application.Įven with the connection string stored in the configuration file in an encrypted format, there is still a risk of an attacker getting the connection string. This automatic encryption of the connection string is a better method for the systems administrator because it does not require the systems administrator to use a separate application to encrypt the connection string. Securing the connection string could be done through a separate application that the systems administrator could use during the deployment process to encrypt the string, or the application could be configured to automatically encrypt the string the first time the application launches. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.
The best way to secure the database connection string is to encrypt the value within the configuration file. In order to protect the database, you have to protect the connection string, so that if an attacker is able to get access to the files on the web server or application server, the attacker is not able to use the connection string to attack the database. When the connection strings are stored in plain text, they provide a wealth of information to an attacker, typically everything that an attacker would need to break into a database.
This connection string is typically stored in plain text to make it easy to edit and easy to change as the application is moved from development, to QA, to staging, and to production. Typically, the connection string will be stored in a configuration file somewhere within the application or web server. to use to connect to the SQL Server instance. Denny Cherry, in Securing SQL Server (Third Edition), 2015 Protecting Your Connection StringsĪpplications use connection strings to identify the server instance and database to connect to and to determine what driver, login, etc.
0 kommentar(er)
