Link to home
Start Free TrialLog in
Avatar of Winston Smith
Winston SmithFlag for Canada

asked on

Protect appSettings and connectionString sections for Windows Application

I have a Windows Forms application written in vb.net 2005. The user needs to login to a SQL Server instance, this login is tested against the database which was setup using membership and roles provider  (ASP.NET, as such the users password is hashed). I can login no problem but the connection string is stored in clear text in the app.config file.

How can i protect the two sections  from prying eyes? I have played with rsa encryption before deployment but of copurse that is machine specific and dies on users systems.

This seems like such an important thing but google was of no use this time.

Thanks

Cheers
ASKER CERTIFIED SOLUTION
Avatar of Daniel Reynolds
Daniel Reynolds
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Winston Smith

ASKER

The users password and the sql connection password are completely different. I have to store the connection string in app.config toallow the membership provider access to it.
xDJR1875:
That would work and i looked into it but it can only secure the fiule the first time you run the program on the clients machine. A savvy hacker will just look at the config file pre-startup. Unless i am mistaken in how that works
I ended up taking all passwords/connections strings out of the program and pushed all authentication to web services. Thanks for your help everyone, any knowledge is good knowledge. Unless in politics of course