WinForm应用程序中的SecureStringString [英] Secure ConnectionString in WinForm Applications
问题描述
你不能。虽然您可以加密app.config文件中的连接字符串,但应用程序需要能够解密它,因此总是可以检索未加密的连接字符串,特别是与托管应用程序(可能不是您的典型最终用户)但任何熟练的开发人员都可以这样做)。
解决方案是不要依赖于 安全隐患 。使用Windows连接到数据库时,请使用 Windows集成安全性用户帐户并向用户提供数据库中的最低权限。
通常虽然这还不够,因为在结束时非常难以保护数据库用户直接连接到数据库(通常是因为您需要行级安全性)。为此,您需要拒绝对表和视图的访问,并完全回退到存储过程。
然而,更好的方法是防止桌面应用程序直接与数据库通信;使用Web服务作为中间层。在这种情况下,您可以完全控制安全性,您可以将连接字符串安全地存储在(Web)服务器上。
How Can I Secure my ConnectionString in WinForm Application?
You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is therefore always possible to retrieve the unencrypted connection string, especially with a managed application (perhaps not for your typical end user, but any skilled developer can do this).
The solution to this is to not lean on security by obscurity. Use Windows Integrated Security when connecting to the database using the Windows user account and give the user the minimum amount of rights in the database.
Often though that is still not enough, because it is very hard to secure the database enough when end users are directly connected to the database (often because you need row level security). For this to work you need to deny access to tables and views and completely fall back to stored procedures.
A better approach however, is to prevent the desktop application from communicating directly with the database; use a web service as intermediate layer. In that case you have full control over the security and you can store the connection string securely on the (web) server.
这篇关于WinForm应用程序中的SecureStringString的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
