.NET application SQL connection account password best practices

Spikeuk30
Spikeuk30 used Ask the Experts™
on
We have a number of .Net applications running which contain a SQL connection string within their web.config. to another server running SQL 2008 std.

The connection string specifys SQL credentials to a specific database - the password and username is directly in the connection string.

Note: Our production servers are not part of any domain and are stand alone.

Were looking more into security - is there any way we can easily change the password to these accounts on a regular basis while not having to update the web.config files directly.    ..or is my only option via a Windows account ?


Ideally we dont want the passwords directly in the web.config - it would be nice to change the passwords once a month automatically and not cause any errors for the connecting .Net applications, and not having to update any web.configs manually.

Currently these SQL accounts are excluded from any password expiry policy and we need to change that so they are changed on a regular basis.

Any help would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Developer
Commented:
Having the credentials in the web.config is not a problem per se, cause only a limited group of people can access those.

When you change SQL Server authentication credentials, then you need to change your config. The option here is to use a separate config file to include.

It's quite easy.
Locate your credentials in your web.config.  Change it and add a configSource attribute for your connection strings section:

<connectionStrings configSource="ConnectionStrings.config"/>

Open in new window


and create a new config file with the actual credentials:

<?xml version="1.0"?>
<connectionStrings>
    <add name="MyDB" connectionString="Data Source=myServerAddress;Initial Catalog=MyDataBase;Integrated Security=SSPI;"/>
</connectionStrings>

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial