Prevent hacking of connection string over the internet
-
An SQL server should never be directly exposed to the internet. You normally expose the database functionality through a securable web service and your application talks to the web service to handle all the database work.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave KreskowiakDave Kreskowiak wrote:
n SQL server should never be directly exposed to the internet. You normally expose the database functionality through a securable web service and your application talks to the web service to handle all the database work.
Ok, can you point me to a webpage or post regarding how to go about this? I am sorry if my questions appear rather naive but this is the first time I am going about this whole thing. Khalid.
-
Dave Kreskowiak wrote:
n SQL server should never be directly exposed to the internet. You normally expose the database functionality through a securable web service and your application talks to the web service to handle all the database work.
Ok, can you point me to a webpage or post regarding how to go about this? I am sorry if my questions appear rather naive but this is the first time I am going about this whole thing. Khalid.
Any tutorials on "VB.NET create web api". Then you need the client side, so "VB.NET consume web api".
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave Kreskowiak -
An SQL server should never be directly exposed to the internet. You normally expose the database functionality through a securable web service and your application talks to the web service to handle all the database work.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave KreskowiakDave Kreskowiak wrote:
An SQL server should never be directly exposed to the internet
Sort of. SQL Azure is accessible over the internet.
-
Hello, I am making a VB.NET forms application and need to connect with SQL Server over the internet using the following connection string:
Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;
From what I could glean from the internet, apparently this kind of connection string is vulnerable to being hacked. Thus what should I do to encrypt this string and also enable decryption only at the remote server. Whenever I search the internet, I only come across ways to encrypt web.config and app.config. This apparent security flaw does not seem to be covered anywhere. Thanks in advance, Khalid.
Member 15377440 wrote:
this kind of connection string is vulnerable to being hacked
Not sure what you are asking. 1. Is the string able to be hacked? No, because it sits in app.config and hopefully you have that on a secure server. 2. Can the SQL server be hacked? Yes, anything can be hacked. But, you can certainly secure it. Sql Azure is accessible via IP address. Is your sql server not in the same place as where your forms application will be running?
-
Dave Kreskowiak wrote:
An SQL server should never be directly exposed to the internet
Sort of. SQL Azure is accessible over the internet.
True, but your normal SQL Server doesn't have the defenses in front of it like an Azure SQL instance does.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave Kreskowiak -
Member 15377440 wrote:
this kind of connection string is vulnerable to being hacked
Not sure what you are asking. 1. Is the string able to be hacked? No, because it sits in app.config and hopefully you have that on a secure server. 2. Can the SQL server be hacked? Yes, anything can be hacked. But, you can certainly secure it. Sql Azure is accessible via IP address. Is your sql server not in the same place as where your forms application will be running?
Member 15329613 wrote:
1. Is the string able to be hacked? No, because it sits in app.config and hopefully you have that on a secure server.
If I am understanding this correctly, my app.config file will be on my development/deployment machine. Should not be an issue as long as I am accessing my SQL Server database on the same machine. My fear is that if I want to keep my SQL Server database in the cloud and try to connect with it through a connection string, that string could be easily be read by a third party over the internet. Thus, how do I ensure that my connection string containing the database credentials cannot be hacked while being sent over the internet. If I encrypt the app.config file on my local machine, is that enough to secure this issue. How will the jumbled connection string be de-crypted at the remote server?
Member 15329613 wrote:
Is your sql server not in the same place as where your forms application will be running?
Presently it is on the same machine, but as I said above, my plan is to keep in the cloud eventually. BTW, thank you for addressing my query, else in most cases, people simply write some cryptic answers which lead nowhere!
-
Member 15329613 wrote:
1. Is the string able to be hacked? No, because it sits in app.config and hopefully you have that on a secure server.
If I am understanding this correctly, my app.config file will be on my development/deployment machine. Should not be an issue as long as I am accessing my SQL Server database on the same machine. My fear is that if I want to keep my SQL Server database in the cloud and try to connect with it through a connection string, that string could be easily be read by a third party over the internet. Thus, how do I ensure that my connection string containing the database credentials cannot be hacked while being sent over the internet. If I encrypt the app.config file on my local machine, is that enough to secure this issue. How will the jumbled connection string be de-crypted at the remote server?
Member 15329613 wrote:
Is your sql server not in the same place as where your forms application will be running?
Presently it is on the same machine, but as I said above, my plan is to keep in the cloud eventually. BTW, thank you for addressing my query, else in most cases, people simply write some cryptic answers which lead nowhere!
Member 15377440 wrote:
If I encrypt the app.config file on my local machine, is that enough to secure this issue.
NO! Not even close. Think about it. If your code can decrypt the connection string, so can someone else.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave Kreskowiak -
Member 15329613 wrote:
1. Is the string able to be hacked? No, because it sits in app.config and hopefully you have that on a secure server.
If I am understanding this correctly, my app.config file will be on my development/deployment machine. Should not be an issue as long as I am accessing my SQL Server database on the same machine. My fear is that if I want to keep my SQL Server database in the cloud and try to connect with it through a connection string, that string could be easily be read by a third party over the internet. Thus, how do I ensure that my connection string containing the database credentials cannot be hacked while being sent over the internet. If I encrypt the app.config file on my local machine, is that enough to secure this issue. How will the jumbled connection string be de-crypted at the remote server?
Member 15329613 wrote:
Is your sql server not in the same place as where your forms application will be running?
Presently it is on the same machine, but as I said above, my plan is to keep in the cloud eventually. BTW, thank you for addressing my query, else in most cases, people simply write some cryptic answers which lead nowhere!
If you deploy your database to Azure SQL, for example, it will be secure. You only need to encrypt your app.config if you are worried about someone getting onto the machine that has your app.config. When .Net code makes the connection using the connection string it does it in a secure manner. You do not need to do more.
-
If you deploy your database to Azure SQL, for example, it will be secure. You only need to encrypt your app.config if you are worried about someone getting onto the machine that has your app.config. When .Net code makes the connection using the connection string it does it in a secure manner. You do not need to do more.
Member 15329613 wrote:
When .Net code makes the connection using the connection string it does it in a secure manner. You do not need to do more.
Ok, so does this mean that if I deploy the database on some other platform, I have to take additional measures to secure the connection string or does .NET code ensures this security in all cases? And if it does not secure the string for other platforms(other than Azure), what measures do I need to take to prevent such a hack on the connection string?
-
Member 15329613 wrote:
When .Net code makes the connection using the connection string it does it in a secure manner. You do not need to do more.
Ok, so does this mean that if I deploy the database on some other platform, I have to take additional measures to secure the connection string or does .NET code ensures this security in all cases? And if it does not secure the string for other platforms(other than Azure), what measures do I need to take to prevent such a hack on the connection string?
The string is secure as long as know one can get to the machine. If you put your database out on the internet with your own install of sql you'll have to google how to secure it. If you use Sql Azure, it is already secured but there are additional securities you can add to it.