连接字符串中的用户名和密码的安全性如何?

时间:2022-07-01 12:01:06

when developing windows applications:

开发Windows应用程序时:

  1. How I secure the user name and password in the connection string?

    我如何保护连接字符串中的用户名和密码?

  2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

    银行等组织是否会向应用程序开发人员提供其数据库的用户名和密码?如果不是这些应用程序开发人员如何编写数据库连接?

  3. What is the industry standard to secure user and password in the connection string?

    在连接字符串中保护用户和密码的行业标准是什么?

thanks

4 个解决方案

#1


3  

  1. How I secure the user name and password in the connection string?
  2. 我如何保护连接字符串中的用户名和密码?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

使用Windows身份验证可以消除连接字符串中密码的需要,或者使用以下一个或多个的组合:

  • Encryption, e.g. using Protected Configuration.

    加密,例如使用受保护的配置。

  • Restrict access to the configuration file, e.g. using an ACL.

    限制对配置文件的访问,例如使用ACL。

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

请注意,上述技术适用于服务器应用程序(例如ASP.NET),其中对服务器的访问可以限于授权管理员。它不适用于直接访问数据库的客户端应用程序。

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

还要注意,加密本身是不够的:它只是通过控制对加密密钥的访问的问题来取代控制对纯文本配置文件的访问的问题。使用受保护的配置时,您需要决定如何限制对用于加密配置文件的加密密钥的访问。

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

2.银行等组织是否会向应用程序开发人员提供其数据库的用户名和密码?如果不是这些应用程序开发人员如何编写数据库连接?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

通常,开发人员只能获得在开发/测试环境中访问数据库的凭据。对生产数据库的访问将受到限制。

3. What is the industry standard to secure user and password in the connection string?

3.在连接字符串中保护用户和密码的行业标准是什么?

There is no "industry standard", but see answer to question 1.

没有“行业标准”,但请参阅问题1的答案。

#2


1  

You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Like this

您可以使用与web.config相同的方式加密app.config中的部分。 MS将其称为受保护配置。喜欢这个

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

#3


0  

From MSDN:

ASP.NET 2.0 introduced a new feature, called protected configuration, that enables you to encrypt sensitive information in a configuration file. Although primarily designed for ASP.NET, protected configuration can also be used to encrypt configuration file sections in Windows applications. For a detailed description of the protected configuration capabilities, see Encrypting Configuration Information Using Protected Configuration.

ASP.NET 2.0引入了一项称为受保护配置的新功能,使您可以加密配置文件中的敏感信息。虽然主要是为ASP.NET设计的,但受保护的配置也可用于加密Windows应用程序中的配置文件部分。有关受保护配置功能的详细说明,请参阅使用受保护配置加密配置信息。

The following configuration file fragment shows the connectionStrings section after it has been encrypted. The configProtectionProvider specifies the protected configuration provider used to encrypt and decrypt the connection strings. The EncryptedData section contains the cipher text.

以下配置文件片段显示加密后的connectionStrings部分。 configProtectionProvider指定用于加密和解密连接字符串的受保护配置提供程序。 EncryptedData部分包含密文。

 <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

When the encrypted connection string is retrieved at run time, the .NET Framework uses the specified provider to decrypt the CipherValue and make it available to your application. You do not need to write any additional code to manage the decryption process. Read the following article on MSDN please for more information:

在运行时检索加密的连接字符串时,.NET Framework使用指定的提供程序解密CipherValue并使其可供您的应用程序使用。您无需编写任何其他代码来管理解密过程。有关更多信息,请阅读MSDN上的以下文章:

Connection Strings and Configuration Files

连接字符串和配置文件

#4


-1  

You should use parameters.

你应该使用参数。

example SqlCommand command = new SqlCommand("select * from Login where Username= @name", conn); command.Parameters.Add(new SqlParameter("@name", uname.txt)); .

示例SqlCommand command = new SqlCommand(“select * from Login where Username = @name”,conn); command.Parameters.Add(new SqlParameter(“@ name”,uname.txt)); 。

#1


3  

  1. How I secure the user name and password in the connection string?
  2. 我如何保护连接字符串中的用户名和密码?

Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:

使用Windows身份验证可以消除连接字符串中密码的需要,或者使用以下一个或多个的组合:

  • Encryption, e.g. using Protected Configuration.

    加密,例如使用受保护的配置。

  • Restrict access to the configuration file, e.g. using an ACL.

    限制对配置文件的访问,例如使用ACL。

Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.

请注意,上述技术适用于服务器应用程序(例如ASP.NET),其中对服务器的访问可以限于授权管理员。它不适用于直接访问数据库的客户端应用程序。

Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.

还要注意,加密本身是不够的:它只是通过控制对加密密钥的访问的问题来取代控制对纯文本配置文件的访问的问题。使用受保护的配置时,您需要决定如何限制对用于加密配置文件的加密密钥的访问。

2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?

2.银行等组织是否会向应用程序开发人员提供其数据库的用户名和密码?如果不是这些应用程序开发人员如何编写数据库连接?

In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.

通常,开发人员只能获得在开发/测试环境中访问数据库的凭据。对生产数据库的访问将受到限制。

3. What is the industry standard to secure user and password in the connection string?

3.在连接字符串中保护用户和密码的行业标准是什么?

There is no "industry standard", but see answer to question 1.

没有“行业标准”,但请参阅问题1的答案。

#2


1  

You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Like this

您可以使用与web.config相同的方式加密app.config中的部分。 MS将其称为受保护配置。喜欢这个

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

#3


0  

From MSDN:

ASP.NET 2.0 introduced a new feature, called protected configuration, that enables you to encrypt sensitive information in a configuration file. Although primarily designed for ASP.NET, protected configuration can also be used to encrypt configuration file sections in Windows applications. For a detailed description of the protected configuration capabilities, see Encrypting Configuration Information Using Protected Configuration.

ASP.NET 2.0引入了一项称为受保护配置的新功能,使您可以加密配置文件中的敏感信息。虽然主要是为ASP.NET设计的,但受保护的配置也可用于加密Windows应用程序中的配置文件部分。有关受保护配置功能的详细说明,请参阅使用受保护配置加密配置信息。

The following configuration file fragment shows the connectionStrings section after it has been encrypted. The configProtectionProvider specifies the protected configuration provider used to encrypt and decrypt the connection strings. The EncryptedData section contains the cipher text.

以下配置文件片段显示加密后的connectionStrings部分。 configProtectionProvider指定用于加密和解密连接字符串的受保护配置提供程序。 EncryptedData部分包含密文。

 <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2... </CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

When the encrypted connection string is retrieved at run time, the .NET Framework uses the specified provider to decrypt the CipherValue and make it available to your application. You do not need to write any additional code to manage the decryption process. Read the following article on MSDN please for more information:

在运行时检索加密的连接字符串时,.NET Framework使用指定的提供程序解密CipherValue并使其可供您的应用程序使用。您无需编写任何其他代码来管理解密过程。有关更多信息,请阅读MSDN上的以下文章:

Connection Strings and Configuration Files

连接字符串和配置文件

#4


-1  

You should use parameters.

你应该使用参数。

example SqlCommand command = new SqlCommand("select * from Login where Username= @name", conn); command.Parameters.Add(new SqlParameter("@name", uname.txt)); .

示例SqlCommand command = new SqlCommand(“select * from Login where Username = @name”,conn); command.Parameters.Add(new SqlParameter(“@ name”,uname.txt)); 。