web.config security best practice

  • snomadj

    SSCarpal Tunnel

    Points: 4275

    So a dev has created a web app connecting into one of my dbs with a connectionString hardcoded into the web.config.  We're using a sql login.

    He has left.  I want to harden it if possible.  Can I create a dsn & reference this instead?  Or is there something else I could do to secure this a little better?

    Apologies if my question is a bit noob.  This isn't really my area but I want to sort it.


  • Sean Lange

    SSC Guru

    Points: 286536

    The web.config is probably the ideal location for connection info. It does not require a recompile to change. Using a machine DSN is probably the last way you should be connecting to a database anymore. What is the concern with having the connection information in the web.config?


    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

  • Eric M Russell

    SSC Guru

    Points: 125089

    If the web application is secured properly, then that web.config file is secure from outsiders, but it can be visible to many inside the organization. For one thing, the developers may check the web.config into source control (Git, TFS, etc.) along with the project files.

    Google the following for options on how to encrypt the connection string properties.

    web.config encrypted connection


    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Chris Harshman


    Points: 42108

    The most secure thing to do would be set up this system to connect to the database using a Windows authenticated login (active directory account) instead of a SQL authenticated login.  If you are unable to do that, you can encrypt the entry in the config file.



  • snomadj

    SSCarpal Tunnel

    Points: 4275

    Thanks all.  Appreciate the responses.  The issue I have is with visibility of the file to more people than I would like.  I hear you saying it can be useful for admins / dev but the dir containing the web.config is currently read shared with [Everyone].  When I remove [Everyone] from the share, leaving just admins & the svcAccount, the users get authentication errors.

    It's a bit more complex that I had hoped.  I guess I need to get back to basics, understand how the authentication is happening, which files actually need to be shared with who & go from there.

    Appreciate the idea for encryption.  And the key words to search.  Sometimes when I'm new to a topic half the battle is knowing what to google!

    I'll get reading.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply