Webconfig encrypted connection string can be hacked?

I'm working on a project at work that's Web Forms, C# and ASP.Net. The code is old.

Instead of using webconfig to hold connection strings and app settings, they have an XML file. In it, they have something like for the connection string

<add value="Server=DVSTL;Database=DVwhatever;Min Pool Size=2" key="Data.ConnectionString"/>

<add value="[enc]encrypted value here==" key="DataDB.CV.PWD"/>

<add value="[enc]encrypted value here=" key="DataDB.UID"/>

Open in new window


There's more in this XML file. There's an XML file for each environment.

Yesterday, we had a meeting about this and my manager said this was done for security because if we have the encrypted connection string in Web Config, someone can get that section...behind a firewall ... and decrypt the values/

I worked at another company last year where all the connection strings were in Web Config and the environemnt was big on security. We even had the dev environment's connection string encrypted.

I suggested removing the XML and just using the web config.

My question is... can web config's connection string... when encrypted.... be stolen and decrypted? with or wothout firewall.
LVL 8
CamilliaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
The question is - how are the strings decrypted so they can be used?
The answer: in the code files that use them.
The next question is: If a hacker can get to the settings file that contains the encrypted strings - can (s)he not also get to the code files that decrypt the settings?

Let's say someone gets access to the connection strings - if you were really security conscious then wouldn't you also ensure that access to the data store is only available from the network that the web server is located - which means that the settings on their own are not enough you also need access to the network that has access to the server?

Then I would ask (if SQL Server is being used) why you are not using integrated security which does not require usernames and passwords to be configured for the connection. The IIS user account is given access to the SQL database you are connecting to so that the IIS process authenticates using Windows security.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CamilliaAuthor Commented:
Thanks, Julian. Let me read and understand.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Instead of using webconfig to hold connection strings and app settings, they have an XML file. In it, they have something like for the connection string
Very dangerous if the XML files are happily served if requested via browser

My question is... can web config's connection string... when encrypted.... be stolen and decrypted? with or wothout firewall.
Not without compromising the server first. Another option is to set up these permissions against the identity of the application pool, this way you do not need to store passwords, cleartext or otherwise, in text files.
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

CamilliaAuthor Commented:
They want to cache the connection strings. I have to ask them why.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Connection string can be still be used but without an username and password
0
it_saigeDeveloperCommented:
I agree with Julian and Shaun, there is no need to use a username and/or password as a part of the connection string.  Rather than worrying about hiding/obfuscating the connection string, just use integrated security.

-saige-
0
CamilliaAuthor Commented:
thanks. Going to send the response to the team today. All makes sense.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.