July 11, 2005 at 8:52 am
Within the current environment here, we of course create standard logins for each application, and permissions are set for each application. From thing which were done prior to be coming here, developers are provided with the login and password, and they then use that for the connection string for the application when it's put in production.
The problem is, developers are then able to login to production with that login/password.
I'm curious how other companies implement this. Of course, the best way is developers not doing production migration, but assume this isn't a perfect world. Even if I use UDL's, they are plain text anyway so a developer can get to the UDL text if they wanted to.
How do you do this in your environment, ensuring developers can't get to the application login/password?
Thanks
-Dave
July 11, 2005 at 9:26 am
Hello Dave,
Did you try Application Roles?
Yelena
Regards,Yelena Varsha
July 11, 2005 at 11:43 am
I don't want the developer to know at all what the password is.
July 11, 2005 at 11:53 am
Dave,
If they are .NET developers, let them put the connection string into config files and assign someone to manage their production config files to change password once the config file on the production server. You can also put passwords in the registry and the app will read registry keys
Yelena
Regards,Yelena Varsha
July 11, 2005 at 12:02 pm
This is what we do. Our Change Control folks receive the logins from either the DBAs or our security team and alter the connection string (which is encrypted) accordingly. As a result, the developers don't have access to the raw passwords.
K. Brian Kelley
@kbriankelley
July 11, 2005 at 12:05 pm
In addition take a look at Microsoft White Paper
Building Secure ASP.NET Applications, downloadable at
file name:secnet.exe, unzip it
Chapter 12 under
"Storing Database Connection Strings Securely " header in this chapter.
Hope it helps.
Yelena
Regards,Yelena Varsha
July 11, 2005 at 2:45 pm
That's what I want to implement here as well. Where do you store the connection string (UDL)? And how do you encrypt/decrypt it?
July 11, 2005 at 10:48 pm
Use the Application Configuration Block from the Microsoft Enterprise Library. It comes with a tool to manage configuration files, and the config files can be really easily encrypted.
See here for more: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/june2005release.asp
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply