I have written an Excel addin which connects to a specific database and pulls data from it. Currently, SQL Server authentication data is hard-coded in the add-in. I am planning to distribute the add-in without removing the SQL Server connection functionality. Protection of the authentication data is an inevitable prerequisite. However, I am stuggling to find a suitable solution.
The authentication data for SQL Server is not unique. Setting up a unique login for each end user would be nearly impossible.
Are there any recommendations how to best achieve a good protection level for the SQL Server authentication data?
This is a very common problem of how to protect connection strings.
Few years ago i have develop a C# application and i have used an app.config file that the connection strings to the db where encrypted.
Save the connection string in an external encrypted file and while reading it decrypt it:
You can check here for more information:
https://msdn.microsoft.com/en-us/library/ms254494(v=vs.110).aspx
Related
I want to deploy my web application including a SQL Server 2008 database from my local machine to my hoster.
So far I used the Windows authentication, is it necessary to switch to username and password when I want to make my application public on the internet?
And if that's the case, what's the best practice to hide that information if they are saved as strings in the web.config?
Side note: I use Linq to Entities as Object Mapper and within the code I use
HttpContext.Current.User to authenticate the user
If you are not using shared hosting, then you can keep using windows authentication which is more secure than having SQL server user.
You should also disable remote connections so that no one can directly access SQL server to make it more secure.
For encrypting connection string check this site.
I work as a consultant for a client. Currently to develop my packages I use Windows Authentication and deploy the packages on the SQL Server (Integration Services Catalog). Once deployed I have the SQL Server Agent run these packages through jobs. It runs successfully without any issues so far.
My question is in the future when I am no longer at my client will this setup I have break due to my login being expired. I was under the impression that once I deployed to the server and run the packages through the SQL Server Agent it doesn't use my account at all!
Can someone clarify this?
It depends on your package protection level. Default is EncryptSensitiveWithUserKey. This allows SSIS to seamlessly encrypt/decrypt things like database/ftp passwords based on your AD domain account. Other people at your client should be able to open up the package although the ability to decrypt sensitive data may be hindered.
What will happen is that when your account is removed, at least based on the experience of a former employer with 2005 was that the jobs will fail to decrypt the package and blow up. Even though they had no sensitive data in the connection string (no UID or PWD values), the connection string as a whole is encrypted and it was no joy. That's been 7 years so that might not be the case any more but I'd be unwilling to risk it.
My mechanism for mitigating this risk is to always set my packages as DontSaveSensitive and then use a sane configuration approach for handling these things. I prefer SQL Server table as a backing but XML can work fine.
I have not found enough information about this online but I am sure that is possible. I want to have a vb.net application in my computer and connect to a database in my hosting to add records.
Also, I want to access the database online to see those records from away from home. Kind of like having my own phone book online in my hosting..
Can someone point me in the right direction.
1. Do I use access or mysql?
2. Do I set up the connection string using a ftp or something different?
3. I want to develop in asp.net
Thanks to all
Access is probably not a good fit, as it is not really reliable across an Internet connection, so I would go with MySQL. Unless you want to consider SQL Server, which has better out-of-the-box support in Visual Studio.
For a server-based database (MySQL or SQL Server), your connection string will include the server address provided by your host and possibly a port. If you insist on using a file-based database (Access or SQL Server CE), the database will probably be on a shared folder on the host, and the connection string will include the path to that shared folder.
If you are developing in ASP.NET, your host may limit your choice of database.
I am designing an application in .net using MVC3. I am using Visual studio 2010 and i am using Sql Server for database. what connection string should i use in Web.Config file.?
Here is a site with any connection string you want:
http://www.connectionstrings.com/
Basically, you should probably use something like this:
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
This way you are using trusted security (not storing a SQL username and password in your config file). You will just need to make sure that the account that your application runs under has access to the database. Really, though, you should have a data access layer that has the permissions. I would recommend against direct data access from your front-end. If possible, maybe even WCF.
I've been developing a site using ASP.NET MVC, and have decided to use the new SQL Server 2008 FILESTREAM facility to store files 'within' the database rather than as separate entities. While initially working within VS2008 (using a trusted connection to the database), everything was fine and dandy. Issues arose, however, when I shifted the site to IIS7 and changed over to SQL authentication on the database.
It seems that streaming a FILESTREAM doesn't work with SQL authentication, only with Windows authentication. Given this, what is the best practice to follow?
Is there a way to force this sort of thing to work under SQL authentication?
Should I add NETWORK SERVICE as a database user and then use Trusted authentication?
Should I create another user, and run both the IIS site and the database connection under this?
Any other suggestions?
Take a look at this article. I don't know a whole lot about FileStreaming and security, but there are a couple of interesting options in the FileStreaming setup such as allowing remote connections and allow remote clients to access FileStreaming