连接字符串中的用户名和密码如何安全? [英] How secure the user name and password in the connection string?
问题描述
在开发Windows应用程序时:
-
如何在连接字符串中保护用户名和密码?
-
像银行这样的组织,是否会将数据库的用户名和密码提供给应用程序开发人员?
-
这些应用程序开发人员通常如何编写数据库连接?
在连接字符串中保护用户和密码的行业标准是什么?
谢谢
- 如何在连接字符串中保护用户名和密码?
要么使用Windows身份验证消除连接字符串中密码的需要,要么使用以下一项或多项的组合:
-
加密,例如使用受保护的配置。
-
限制访问配置文件,例如
请注意,上述技术对于服务器应用程序(例如ASP.NET)可以很好地访问只能将服务器限制为授权管理员。
请注意,仅加密本身是不够的:它只是取代了控制问题通过控制对加密密钥的访问来访问纯文本配置文件。使用受保护的配置时,您需要决定如何限制对用于加密配置文件的加密密钥的访问。
2。
像银行这样的组织,他们会向应用程序开发人员提供数据库的用户名和密码吗?
通常,这些应用程序开发人员通常如何编写数据库连接?通常,只有开发人员才能获得访问开发中数据库的凭据/测试环境。
3。
在连接字符串中保护用户和密码的行业标准是什么?
没有行业标准,但请参阅问题1的答案。
when developing windows applications:
How I secure the user name and password in the connection string?
Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?
What is the industry standard to secure user and password in the connection string?
thanks
- How I secure the user name and password in the connection string?
Either use Windows authentication to eliminate the need for a password in the connection string, or use a combination of one or more of:
Encryption, e.g. using Protected Configuration.
Restrict access to the configuration file, e.g. using an ACL.
Note that the above techniques work well for server applications (e.g. ASP.NET), where access to the server can be restricted to authorized administrators. It doesn't work well for client-side applications that directly access a database.
Note also that encryption on its own is not sufficient: it simply replaces the problem of controlling access to a plaintext configuration file by the problem of controlling access to encryption keys. When using Protected Configuration, you need to decide how to restrict access to the encryption keys used to encrypt your configuration file.
2. Organizations like banks, would they give out the user name and password of their DB to application developers? if not typically how those applications developers write the DB Connections?
In general developers will only be given credentials to access databases in a development / test environment. Access to production databases will be restricted.
3. What is the industry standard to secure user and password in the connection string?
There is no "industry standard", but see answer to question 1.
这篇关于连接字符串中的用户名和密码如何安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!