Security of connection strings
This course includes
? Database Security? Define the connection string? Preventing injection attacks? Store the connection string? Encrypted connection string? Protected Configuration
Agenda
? Database Security
? Define the connection string? Preventing injection attacks? Store the connection string? Encrypted connection string? Protected Configuration
Database Security
? Try to use Windows Authentication instead of SQL
Server Verification
-Secure and easy to manage
No need to set the user name and password in the connection string-security can be ensured through the password policy
-The password is not transmitted in plain text over the network.
Integrated Windows Authentication
Providers
Syntax
Integrated Security = true;
Sqlclient
-- Or-
Integrated Security = sspi;
Oledb
Trusted_connection = yes;
ODBC
Integrated Security = yes;
Oracleclient
SQL Server Authentication
? SQL Server Authentication
-Enforce password policies
-Force password expiration
The user must change the password upon next login
Agenda
? Database Security
? Define the connection string
? Preventing injection attacks? Store the connection string? Encrypted connection string? Protected Configuration
Define the connection string
? The persist Security info keyword is set
False.
? If it is set to true or yes
After the connection is enabled, you can obtain security sensitive information (including the user ID and password) through the connection ).
? Keep setting persistsecurity info to false,
To ensure that untrusted sources cannot access sensitive connection string information.
Demo
Modify persist Security info
Agenda
? Database Security? Define the connection string
? Prevent injection attacks
? Store the connection string? Encrypted connection string? Protected Configuration
Connection string injection attacks
? Similar to SQL injection attacks
? In the connection string, do I add other parameters by using an excessive sign? For example, concatenate a connection string using the following method:
String constr = "Server = (local); database = northwind;
Uid = sa; Pwd = "+ password;
Input
Password = "password01 !; Pooling = true; min pool size = 999999; Max pool size = 999999 ;"
Connection string Generator
? Ado. NET 2.0 is the number of each. NET Framework
What is the new connection string generator introduced by the data provider? Inherit from dbconnectionstringbuilder
Providers
Connectionstringbuilder class
System. Data. sqlclient
Sqlconnectionstringbuilder
System. Data. oledb
Oledbconnectionstringbuilder
System. Data. ODBC
Odbcconnectionstringbuilder
System. Data. oracleclient
Oracleconnectionstringbuilder
Avoid connection string injection attacks
System. Data. sqlclient. sqlconnectionstringbuilder = new
System. Data. sqlclient. sqlconnectionstringbuilder (); builder ["Data Source"] = "(local )";
Builder ["Integrated Security"] = true;
Builder ["Initial catalog"] = "adventureworks; newvalue = bad"; console. writeline (builder. connectionstring );
Output result:
Data Source = (local); Integrated Security = true; initial
Catalog = "adventureworks; newvalue = bad"
Demo
Use the connection string Generator
Agenda
? Database Security? Define the connection string? Prevent injection attacks
? Store connection strings
? Encrypted connection string? Protected Configuration
Store connection strings
? The connection string can be stored in
-Configuration file
-COM + catalog
Windows Registry-custom file structure
Demo
Store the connection string in the configuration file
Agenda
? Database Security? Define the connection string? Preventing injection attacks? Store connection strings
? Encrypted connection string
? Protected Configuration
Encrypted connection string
? . Net Encryption Algorithm
-Symmetric algorithm (RSA)-asymmetric algorithm (3DES) Data Protection (dpapi)
Demo
Encrypted connection string
Protected Configuration
? Use protected configuration to encrypt the connection string value
The configuration files do not display the connection strings in plaintext, but store them in encrypted form.
? When a page is requested, Net Framework connects.
Decrypts string information and makes it available to applications.
Create Configuration
? ASP. net iis registration tool (aspnet_regiis.exe)
-Encrypt, decrypt, create, or delete the section of the web. config file
Key container, export and import key container information, and manage access to key container
? Protected configuration in the system. Configuration namespace
Class
-Dpapiprotectedconfigurationprovider. Use
Windows Data Protection API (dpapi) encrypts and decrypts data
-Rsaprotectedconfigurationprovider. Use RSA Encryption
Encryption and decryption of data using algorithms
Encryption and decryption web configuration section
? Encrypted Web configuration section
-ASPnet _ regiis-pe "connectionstrings"-app
"/Sampleapplication"-prov
"Rsaprotectedconfigurationprovider"
? Decrypt web configuration section
-Aspnet_regiis-Pd "connectionstrings"-app
"/Sampleapplication"
Demo
Use protected configurations
Review
? Database Security? Define the connection string? Preventing injection attacks? Store the connection string? Encrypted connection string? Protected Configuration
Get more msdn Resources
? Msdn Chinese website
Http://msdn2.microsoft.com/zh?cn? Msdn Chinese network broadcast
Http: // www.microsoft.com/china/msdn/webcast? Msdn Chinese network broadcast course advance email
Http://www.microsoft.com/china/msdn/WebcastNewsletter? Msdn free Chinese express mail (msdn flash)
Http://msdn2.microsoft.com/zh?cn/flash? Msdn Development Center
Http://msdn2.microsoft.com/zh?cn/developercenters
? Msdn Book Center
Http://www.microsoft.com/china/msdn/book
Question & answer
To raise a question, enter the text in this area and click the question button in the upper-right corner of question and answer.
You can also seek help at the Microsoft Chinese technology forum. lecturers of the msdn Chinese network broadcast regularly answer technical questions related to the course on the forum.
Http://forums.microsoft.com/china