使用Windows .NET或ASP.NET应用程序时在哪里存储数据库密码 [英] Where to store db passwords when using Windows .NET or ASP.NET applications
问题描述
我有一个困扰我多年的情况.如果必须使用用户名和密码连接到数据库或其他服务(例如Web服务),那么如果通过.NET程序集进行连接,那么在哪里最安全的存储此信息的位置呢?我知道您必须对密码进行加密,但是随后您遇到了一种鸡蛋"问题-很好-您可以对其进行加密,但是将密钥放在哪里?
I have a scenario that has been troubling me for years. If you have to connect to a database or other service (like a web service) using a username and password, where would be the safest place to store this information if you are connecting through a .NET assembly? I understand that you would have to encrypt the password, but then you run into a kind of chicken-egg problem -- fine -- you can encrypt it, but then where do you put the key?
在.NET中,您无法对密码进行硬编码,因为您可以反编译.NET代码.
In .NET, you can't hard-code the password because you can decompile .NET code.
我研究过在基于隔离的存储中使用基于程序集的权限,但是MS建议不要在此处存储未加密的秘密项目,因为特权用户可以访问,因此,再次,我们将问题从A点移到了B点.例如,无需知道数据库中信息的域管理员便能够获得访问权限,因为它可以成为域中任何工作站上的管理员.
I looked at using assembly based rights with Isolated Storage, but MS recommends against storing unencrypted secret items there because privileged users can gain access, so again, we are moving the problem from point A to point B. So, for example, a domain admin with no need to know about the information in a database would be able to get access because of the ability to be an admin on any workstation on the domain.
您可以加密应用程序.Config和Web.Config,但我相信特权用户可以访问密钥.
You can encrypt the App. Config and Web.Config, but I believe privileged users can access the keys.
我认为您在使用DPAPI时遇到了同样的问题.
I think you run into the same problem with DPAPI.
我曾考虑过将密码加密并存储在远程数据库中,并通过OS身份验证来获取密码,但是我们部门禁止将密码存储在数据库服务器上.我很确定自己被卡住了,想要确认.
I had considered storing the passwords, encrypted in a remote database, and getting them through OS authentication, but our department prohibits the storage of passwords on database servers. I am pretty sure I am stuck and wanted confirmation.
推荐答案
您不想将密码存储在程序集中,并且重新发明密码只会带来更多麻烦(并引入更多漏洞),其价值不菲.如果您同时在数据库和Web服务器上使用MS平台,则处理此问题的最简单方法是
You don't want to store the password in the assembly, and reinventing the wheel only creates more trouble (and introduces more vulnerabilities) than it's worth. If you are using MS platform on both the database and web server, then the easiest way to handle this is use a trusted connection, and grant rights on the SQL server to the identity your application is using.
第二,我只是让DPAPI进行加密您的连接设置.
这篇关于使用Windows .NET或ASP.NET应用程序时在哪里存储数据库密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
