Connection string security deploying a Azure Cloud Service

Question

Created a Azure Cloud Service and want to deploy it now. The connection string (for Azure) contains a readable username and password. Is this secure (and is the key vulnerability in respect of connection strings in the Web.config and App.config files before and during deploying the application to Windows Azure)? If not what is the easiest way to make it secure.

Meanwhile found an answer (see below). Not an easy way, however...

Thanks in advance for any help!

Thanks "sharptooth", but that was 2 years ago... Something improved / changed meanwhile? — Gerard, Aug 19 '14 at 13:05
Nothing I've heard of. And I didn't search for anything else. — sharptooth, Aug 20 '14 at 05:20
Yes something is improved, see http://www.hanselman.com/blog/HowToKeepYourASPNETDatabaseConnectionStringsSecureWhenDeployingToAzureFromSource.aspx — Gerard, Aug 21 '14 at 12:25

FlemGrem · Answer 1 · 2014-08-19T10:53:40.553

0

The quickest way is to put it as an appsetting in your servers web.config and read the values at runtime directly from codebehind. A web.config file is not viewable on a public facing webserver hosting IIS.

Web.config:

<configuration>
    <appSettings>
        <add key="ConnectionString" value="User Id=myusername;Password=myPasswordc;DataSource=my.datasource/>
    </appSettings>
</configuration>

Code:

string CS = ConfigurationManager.AppSettings["ConnectionString"];
AzureService myAzureService = new AzureService(CS); <-- or similar

On a tangent: Any sent TCP/IP packet sent over http (Client to server) could be sniffed if a hacker were to do so;

If you were sending authentication details from/to a client/server; any authentication detail might be sent to the Azure service in clear text.(over http)

If this was your intended setup, you should consider running your Cloud service over Https, creating a secure socket (tunnel) where any clear text authentication is protected by the SSL Tunnel

edited Aug 19 '14 at 10:53

answered Aug 19 '14 at 10:23

FlemGrem

814
4
9

Thanks for the info. Found an article about Windows Azure SQL Database connection security (http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx) is that still valid? – Gerard Aug 19 '14 at 12:48
That article is a heck of a lot more than my 10 line suggestion above. It looks like you already found what you need. And yep it looks relevant to me. Good luck. – FlemGrem Aug 19 '14 at 13:24
Might be, but it all looks quite dated. Pkcs12 Protected Configuration Provider, for example: The project can't be built using a recent Visual Studio. – Gerard Aug 19 '14 at 17:11
My recent is different to your recent, sorry. We're Still on VS2010 and .Net 2.0. So that article looks current to me :o) Maybe somebody with more recent experience can read this and lend a hand. – FlemGrem Aug 20 '14 at 09:14

Gerard · Accepted Answer · 2014-08-21T12:35:42.700

See Windows Azure SQL Database Connection Security for some information on this topic. It looks somewhat dated: A recommended way using Pkcs12 Protected Configuration Provider doesn't build using modern tools (VS2103), for example. Perhaps there is another easier way... For WebSites service in Azure there is an easier way by using the App settings (configuration tab), see also Keep connection string secure when deploying to Azure

Connection string security deploying a Azure Cloud Service

2 Answers2