如何安全地存储和访问连接字符串详细信息?
我目前正在开发一个 ASP.NET MVC 网站,并且需要将数据库集成到该网站中。
通常,我只需将适当的连接字符串添加到 Web.config 文件中即可:
<add name="MainDB"
connectionString="Server=localhost; Database=TopSecretData; User Id=Joe;
password=password" providerName="System.Data.SqlClient" />
但是,如果我将用户 ID 和密码保留在 Web.config 中,显然存在明显的安全缺陷>,特别是当它处于源代码控制之下时。
简而言之:如何存储我的连接字符串详细信息而不公开可见?
I'm currently working on a ASP.NET MVC web site, and I've come up to a point where I need to integrate a database into the website.
Normally I would simply add the appropriate connection string to the Web.config file:
<add name="MainDB"
connectionString="Server=localhost; Database=TopSecretData; User Id=Joe;
password=password" providerName="System.Data.SqlClient" />
But there's obviously a glaring security flaw if I leave my User Id and password right in the Web.config, especially when it's under source control.
In short: How can I store my connection string details without having it publicly visible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
最佳实践是加密您的连接字符串部分。使用 aspnet_regiis.exe,它可以在各个地方找到:
之前:
运行此命令:
或者,如果上述命令不起作用(并且您获得了 aspnet_regiis 帮助文本),请尝试
其中“6”是 IIS 中报告的站点 ID。
之后:
现在是乱码了,无法编辑。
像这样解密:
或者
然后更改并重新加密。
要读取连接字符串,请使用 ConfigurationManager 静态类。
Best practice is to encrypt your connection strings section. Use aspnet_regiis.exe, which can be found in various places:
Before:
Run this command:
Or, if the above command doesn't work (and you get the aspnet_regiis help text), try
where the "6" is the ID of the site as reported in IIS.
After:
Now that it is garbled, you can't edit it.
Decrypt like this:
Or
And then change and re-encrypt.
To read the connection string, use the ConfigurationManager static class.
一种方法是使用数据库提供的任何集成安全性,因此密码不是问题。服务器无需使用密码即可直接访问服务器,但您必须设置一个只能从 Web 服务器本身进行访问的用户。
例如。像 MySQL 这样的数据库允许您指定哪些服务器可以访问它,限制从其他任何地方的访问 - 因此除了 Web 服务器之外,黑客无法访问您的数据库。这大大减少了安全面,并允许您将连接字符串文件存储在 SCM 中。
它仍然不是 100% 安全,因为黑客可以(通常很容易)破解您的 Web 服务器并从中查看数据库。您可以将密码存储在其他地方,但这只是掩盖了问题 - 如果网络服务器可以访问密码,那么您的黑客也可以。 (请注意,存储密码的其他位置包括注册表、单独的文件(例如 .udl 文件或 /etc 中的其他文件)。您可以保护此文件,以便只有 Web 服务器用户可以读取它,但被黑客攻击的 Web 服务器显然可以读取它!
因此,下一步是抽象数据库连接,使其位于 Web 服务器之外,通常的方法是有一个单独的进程来存储公开固定方法的业务逻辑(例如服务) - Web 服务器只需调用该服务完成工作并将数据返回到 Web 服务器代码。
如果黑客攻陷了您的网络服务器,他们所能做的就是调用服务上的方法,他们将无法直接访问数据库,因此无法损坏或修改它。通常,黑客很少会了解到服务方法是什么或做了什么,并且服务会对所有输入都有相当数量的验证代码,因此黑客创建的消息将(希望)被拒绝。 (使用时间戳、计数器等来尝试击败向服务发送的定制消息)。
这是我们用于高安全性系统的方法(您可以采取更多措施来使用标准操作系统安全机制来保护该链的每个部分)。当我们的安全小伙子演示了 IIS 黑客攻击并为他提供了具有管理员权限的远程 shell 后,我们就清楚了这样做的原因。如果黑客得到了这些信息,那么无论你采取什么措施来保护网络服务器上的配置都是毫无意义的。 (而且这很容易做到——自从修复以来,但一直都在发现 0day 漏洞)
One approach is to use whatever integrated security your DB offers, so the password is not an issue. The server gets direct access to the server without having to use a password, but you have to set up a user that only has access from the web server itself.
eg. DBs like MySQL allow you to specify which servers have access to it, restrict access from anywhere else - so a hacker cannot get to your DB except from the web server. This reduces the security surface quite a lot and allows you to store your connection string files in your SCM.
Its still not 100% secure as the hacker could (often easily) hack your web server and view the DB from it. You could store the password elsewhere, but that's just obscuring the problem - if the web server can get access to the password, your hacker can too. (note, other places to store the password include the registry, a separate file like a .udl file or something in /etc). You can secure this file so only the web server user can read it, but a hacked web server can obviously, read it!
So the next step is to abstract the DB connection so it is outside the web server, the usual method is to have a separate process to store your business logic (eg a service) that exposes fixed methods - the web server simply calls the service which does the work and returns data to the web server code.
If a hacker defeats your web server, all they can do is call methods on the service, they would not have direct access to the DB so could not corrupt or modify it. Usually there would be few hints to the hacker of what the service methods were or did, and the service would have a fair amount of validation code to all inputs so a hacker-created message would (hopefully) be rejected. (use timestamps, counters, etc to try to defeat custom-crafted messaged to the service).
This is the approach we used for a high-security system (there's a lot more you can do to secure each segment of this chain using standard OS security mechanisms). The reasons for doing this became very clear to us once our security chap demonstrated a IIS hack that gave him a remote shell with admin privileges. Whatever you do to secure your configs on the web server is pointless if a hacker gets that. (and it was trivially easy to do - since fixed, but there are 0-day exploits being found all the time)
也许您想研究加密您的连接字符串:
http://chiragrdarji.wordpress。 com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/
(文章有点旧了)
Maybe you wanna look into encrypting your connection string:
http://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/
(article is a bit old)
常见的方法包括加密 web.config 和将连接字符串存储在注册表中。
第二个链接是一篇篇幅更大的文章的一部分,该文章介绍了如何正确保护 ASP.NET 应用程序的安全。它是为 WebForms 编写的,但原理是相同的。这是一本很好的读物,其中的大部分内容今天仍然适用,尽管它有点旧了。
Common approaches include encrypting the web.config and storing the connection strings in the registry.
The second link is a part of a much larger article covering how to properly secure an ASP.NET application. It was written for WebForms, but the principles are the same. It's a good read and much of it still applies today, even if it is a bit old.
您可以将加密连接字符串存储在缓存中。缓存服务器故意位于另一台服务器上(此通信可以限制为 1 个端口和 IP 地址,从而更难被黑客攻击)。这将使连接字符串完全脱离网络服务器,即使黑客访问了缓存,它们也会被加密。关键是将字符串加载到缓存中,并且可以远程完成,因此这些连接字符串永远不会写入服务器的硬盘驱动器。该代码仅根据需要解密连接字符串,而不会在变量中保留那些未加密的字符串。
You could store Encrypted Connection strings in cache. The Cache server is on another server on purpose (This communication can be restricted to 1 port and IP address making far harder to be hacked). This will get the connection string completely off the web server and even if a hacker gets access to the cache they are encrypted. The key is the loading of the strings into cache and that can be done remotely, so those connection strings are never written to the hard drive of the server. The code only decrypts the connection strings as needed and never holds on to those unecrypted strings in a variable.