.NET application SQL connection account password best practices

We have a number of .Net applications running which contain a SQL connection string within their web.config. to another server running SQL 2008 std.

The connection string specifys SQL credentials to a specific database - the password and username is directly in the connection string.

Note: Our production servers are not part of any domain and are stand alone.

Were looking more into security - is there any way we can easily change the password to these accounts on a regular basis while not having to update the web.config files directly.    ..or is my only option via a Windows account ?


Ideally we dont want the passwords directly in the web.config - it would be nice to change the passwords once a month automatically and not cause any errors for the connecting .Net applications, and not having to update any web.configs manually.

Currently these SQL accounts are excluded from any password expiry policy and we need to change that so they are changed on a regular basis.

Any help would be greatly appreciated.
Spikeuk30Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
Having the credentials in the web.config is not a problem per se, cause only a limited group of people can access those.

When you change SQL Server authentication credentials, then you need to change your config. The option here is to use a separate config file to include.

It's quite easy.
Locate your credentials in your web.config.  Change it and add a configSource attribute for your connection strings section:

<connectionStrings configSource="ConnectionStrings.config"/>

Open in new window


and create a new config file with the actual credentials:

<?xml version="1.0"?>
<connectionStrings>
    <add name="MyDB" connectionString="Data Source=myServerAddress;Initial Catalog=MyDataBase;Integrated Security=SSPI;"/>
</connectionStrings>

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.