3

I am accessing an SQL Server database using Windows Authentication

  1. Do I need to encrypt the connection string in the web.config?
  2. Does the name of the connection string (or database) matter in terms of security? (viz: ApplicationServices?
Improve this question

2 Answers 2

Reset to default
3

I disagree with klausbyskov. I would encrypt your connection string regardless. Sure, the server name is really all that is being exposed. But that at least puts a target out there. Encrypting the connection string would remove that target.

Knowing is half the battle.

As far as the connection string name, I'd just keep it vague, and not name it the name of your production database server or anything like that.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I agree. Encrypting web.config sections is cheap and supported by various management tools (unlike, say, encrypting app.config sections...). And there are other benefits besides hidding the server/database names: 1) the connection string cannot be changed in web.config to hijack the application and 2) the fact that SSPI is used is also hidden.
Is it encrypting or obfuscating? If someone can read a web.config, you've lost already, no, because your code is available to reverse engineer?
3

  1. No. It would be useless. When using Windows Authentication your app is connecting as the user that opens the DBConnection from code, typically network service if it's a web app.

  2. No, unless the name is also your domain admin password.

EDIT: In a crazy world where the name of your database server was secret, then maybe it would make sense to encrypt the connection string.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.