All geek questions in one place

How to keep multiple accessString passwords safe, separate and easy to deploy?

I know that there are already a lot of questions on this topic (I read as much as I could find), but I still could not figure out how best to satisfy my specific criteria. Here are the goals:

  • The ASP.NET application will run on several different web servers, including localhost workstations for development. This means that encryption of web.config using a machine key is missing. Each "type" or web server environment (dev, test, prod) has its own corresponding database (dev, test, prod). We want to separate these connection strings so that the developer working on the "dev" code cannot see any "prod" connection string passwords, nor does it allow these production passwords to ever be deployed to the wrong server or transferred to SVN.

  • The app will be able to decide what connection string to try to use based on the name of the server (using a switch statement). For example, “localhost” and “dev.example.com” will know to use DevDatabaseConnectionString, “test.example.com” will use TestDatabaseConnectionString, and “www.example.com” will for example use ProdDatabaseConnectionString. The reason for this is to limit the likelihood of deployment accidents when the wrong type of web server connects to the wrong database.

  • Ideally, the same executables and web.config should be able to run in any of these environments, without having to configure or configure each environment separately each time we deploy (something like this would be easy to forget / mess up one day during deployment, so we moved away from one connection string, which must be changed for each purpose). Deployment is currently done via FTP. Update: Using "build events" and revising our deployment procedures is probably not a bad idea.

  • We will not have access to the command line for the web server. This means using aspnet_regiis.exe to encrypt the web.config file. Update: we can do this programmatically to make this issue moot.

  • , , web.config( db.config - ), , .

  • . ( , DevDatabaseConnectionString, ?), , . , RSA . ( № 3 , , , , , , , - --- !)

  • UPDATE/ADDENDUM: -: - ASMX, ASPX Web Forms MVC. , , , , . (, DAL .)

, , , ( "" -), , , , , .

!

+3
3

/ Windows . , , , web.config. , , , , .

, ( ), web.config, : http://www.devx.com/vb2themax/Tip/18880

, web.config, - , .

+3
  • - . , , .

..

, , - , ​​ . , , , ( ). , (, , ..), , /.

, ( ?) .

+1

(-, , , 2 3 " " , ! ...)

(, ), "" web.config ( aspnet_iisreg) , , , , . , - , web.config, , , ASPX , " " . ; well & hellip; , ! 1

, DLL, , , - ILDASM. 2 security , , Dotfuscator, "". , - (, , ), , .

, , , , SVN: .config, SVN, (!) . Web.config , . --- Im --- , , , , , , .

, ( ), . () - , , Encryptinator (TM)! , --- "db.config". db.config . dll dALs, ( !) - Dotfuscator. , , , .

Im "DbKey", DLL SVN . . "db.config" , , . . db.config ( SVN) .

, ( ?), , - post-it , , . Ive " " , , , , " Try!".

1. 15 http://www.dotnetcurry.com/ShowArticle.aspx?ID=185 - , ! - , , web.config ? web.config Protected Configuration ?

2. Good discussion and food for thought on another issue, but very related concepts here: Safe password storage in program code? - what really struck home is the Pidgin FAQ related to the chosen answer: if someone has your program, they can get their secrets.

+1
source

Source: https://habr.com/ru/post/1749500/

More articles:


All Articles