How Can I Secure my ConnectionString in WinForm Application?
Asked
Active
Viewed 8,403 times
9
-
This can be use full using C# code encryp the hole section [link](http://stackoverflow.com/questions/37573551/encrypt-app-config-custom-element-using-cmd?answertab=active#tab-top) – mukesh singh Jun 04 '16 at 06:07
1 Answers
22
You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is, therefore, always possible to retrieve the unencrypted connection string, especially with a managed application (perhaps not for your typical end user, but any skilled developer, or hacker can do this, and even end users can figure this out after a little bit of googling).
The solution to this is to not lean on security by obscurity. Use Windows Integrated Security when connecting to the database using the Windows user account and give the user the minimum amount of rights in the database.
Often though that is still not enough, because it is very hard to secure the database enough when end users are directly connected to the database (often because you need row-level security). For this to work you need to deny access to tables and views and completely fall back to stored procedures.
A better approach, however, is to prevent the desktop application from communicating directly with the database. Instead, use a web service as intermediate layer. In that case you have full control over the security and you can store the connection string securely on the (web) server.
Steven
- 166,672
- 24
- 332
- 435
-
4+1 for "You can't". There is no absolute security specially with managed apps. You can enforce security with some things like including a webservice layer and isolating users from database but yet it won't be perfect. You have to take that into account right from the conception of the app. – Anderson Matos Feb 07 '12 at 11:57
-
@Steven the link to "Windows Integrated Security" is broken. :) – Ryan Walkowski Feb 20 '18 at 00:25