Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Windows Forms / WinForm General / March 2006

Tip: Looking for answers? Try searching our database.

How to protect ADO.NET connection string under WindowsForms?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
MilanB - 25 Feb 2006 08:22 GMT
Hello

I build WindowsForm application, that use MS Access database. I wish to
protect AccessDB password that I use in connection string. Application will
be used by final users and customers.

I understand that .NET framework application is easy to decompile and trace
it's variables. So how to hide or protect connection string from easy
disrupt, and reading DB password.

Thanks
MilanB
Reply to this Message
Cerebrus - 26 Feb 2006 06:29 GMT
Hi MilanB,

If you were using SQL Server, I would suggest that you check out this
article by Microsoft : (You might still find something useful at the site)

http://www.governmentsecurity.org/articles/MicrosoftDatabaseSecurity.php

If you were using ASP.NET, I would suggest that you use an encrypted string
in the Web.Config file. But as for Windows Forms... ?

... I'm not sure how to implement such security with MS Access.

P.S : I think this is a very pertinent question, so if you don't mind, my
reply is also posted to the "microsoft.public.dotnet.security " newsgroup to
get the views of the experts who watch that group.

Regards,

Cerebrus.

> Hello
>
[quoted text clipped - 8 lines]
> Thanks
> MilanB
Reply to this Message
MilanB - 26 Feb 2006 06:43 GMT
Thanks Cerebrus
Reply to this Message
Dinis Cruz - 31 Mar 2006 18:34 GMT
Ultimately be aware that there is no way you can securely protect those
connection strings from a semi-skilled attacker which has access to
client application.

Ultimately that string will need to be decrypted and passed to whatever
Access database driver you are using.

Even if you obfuscate your .Net code, I could easily grab those
credentials by hooking (in C++ / Assembly) the relevant methods.

Dinis Cruz
Owasp .Net Project
www.owasp.net

> Hi MilanB,
>
[quoted text clipped - 30 lines]
>> Thanks
>> MilanB
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.