app.config 中的 ConnectionStrings.安全呢? [英] ConnectionStrings in app.config. What about security?

问题描述

将带有密码的连接字符串放在 app.config 文件中真的是一件好事吗?

Is it really a Good Thing to put connection strings with passwords in the app.config file?

在我看来，app.config 没有以任何方式加密，密码信息很容易读取.

It seems to me that the app.config is not encrypted in any way and the password information can be easily read.

我有一个应用程序可以访问数据库，但目标最终用户没有对其进行身份验证.使用组用户/密码.仅当当前 Windows 用户在 Active Directory 组中时，应用程序才会启动.因此，一旦进入应用程序，用户就可以使用组用户连接到数据库.

I have an app which accesses a database for which the intended end-user have no authentication. A group user/password is used. The application only starts if the current windows user is in an Active Directory group. So, once in the app, the user is allowed to connect to the DB using the group user.

处理此类连接字符串的正确方法是什么?将它们隐藏在源代码中?

What would be the correct way to handle such connection strings? Hide them in the source code?

注意这是一个独立的应用程序 - 不是 ASP、IIS 等

NOTE this is for a stand-alone app - not ASP, IIS etc

这对我有用

(感谢 Jon Galloway - http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx)

(thanks to Jon Galloway - http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx)

private void EncryptConfigSection()
{
    Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
    ConfigurationSection section = config.AppSettings;
    if (section != null)
    {
        if (!section.SectionInformation.IsProtected)
        {
            if (!section.ElementInformation.IsLocked)
            {
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
                section.SectionInformation.ForceSave = true;
                config.Save(ConfigurationSaveMode.Full);
            }
        }
    }
}

这是通过在应用程序第一次运行时加密 exe 配置文件来实现的.我还没有找到在安装过程中执行此操作的方法，因此在第一次启动应用程序之前，配置文件是完全可读的.也许有人有想法...

This works by encrypting the exe config file the first time the app runs. I haven't found a way of doing this as part of the installation process so the config file is fully readable until the app is started for the first time. Perhaps someone has an idea...

推荐答案

您可以加密部分 app.config 或 web.config 文件，请参阅 例如这篇文章了解更多信息.

You can encrypt parts of the app.config or web.config file, see for example this post for more information.

具体来说，这篇 MSDN 文章保护连接字符串的各种方法.

Specifically, this MSDN article walks through various ways of securing connection strings.

这篇关于app.config 中的 ConnectionStrings.安全呢?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！