Database Connection Strings...

[tealmad]

Hi.

I have a few questions as to how I should be working with my MSSQL 2005 connection strings in my VB.NET 2005 applications. My colleagues and I question the best methods to be used when dealing with connection strings.

Currently we have a multiple location environment that has time clock stations. The time clock stations write to the local database on the pc's in which they reside. However, we have developed some services that collect the records from each time clocks database. The services reside on an application server completely seperate from the time clock stations and write the collected data to a Central Database server.

My question is, what would be the proper way to pass connection data for each database that we collect data from? We would prefer a secure method obviously. Is a trusted connection the best method to use? Of not, when we pass the user id and the password for each database, along with the server name and catalog, to our connection class, is it a preferred method to encrypted and then decrypted the connection string? What is the best/most secure method?

Any comments on this thread would be appreciated.

Thanks,

Gregg
VB.NET 2005 Developer

 

[DiskJunky]

well ideally, you'd encrypt the details using and industrial standard encryption algorithm (there's several on offer within the framework), send it across a secure connection for preference and then decrypt it. Strictly speaking there's no way of preventing the connection string from being stored on the hard drive in the page file but I'd be more worried about transmission than anything else. Encrypting before sending would be the best way if there's any reasonable chance the transmission could be intercepted. Best practice would be to encrypt it anyway to eliminate the possibilty of an internal attack as a signifigant portion of attacks a company suffers original from the inside, sometimes by disgruntled employees. Sad but true.