Jump to content
Software FX Community

Security of Connection strings


jhb

Recommended Posts

Posted

Hi,

 I can see myself recommending this to my customers esp. the cool real time monitoring type gadgets.

The only concern I have is that the ps1 scripts the users run have exposed the database connection strings.

Has anyone architected a way round this? eg encryption or something?

 Cheers,

John

Posted

I am assuming that by "exposed the database connection strings" you are talking about the user and password info. When you are using invoke-sql we support 2 scenarios where this information is securely handled

a) Using Windows Authentication: by using your windows credentials your PS1 will contain no user information and you will not get any additional prompts.

B) Using the -credential parameter: Support for this feature was added recently and allows you to specify only the user name with the powershell standard credential handling taking care of prompting for the password. Using this approach will result in an additional prompt for a password but will keep your information confidential.

Note that we could provide a tool to encrypt the connection string but we feel this will give users a false sense of security. In order to decrypt it on any machine we would have to include the private key in our exe so it would be just a matter of time before somebody exposes it and renders this encryption useless.

So if you are coming from the powershell approach we offer 2 secure ways where your password is not compromised. Still there are probably millions of users who stay away from Windows Authentication and reuse a common security credential for all clients. These users can hardcode the password in the PS1 and as long as they keep the PS1 files in a secure location this approach will not expose anything they are not already exposing with the single-credential client app.

Note also that if you are running PS1 scripts, Powershell supports digitally signing those strings to protect you from running scripts from an untrusted source but it does not support encrypting the scripts to protect the information in them.

To summarize we are trying to strike a balance between security and usability and we are hoping we expose this clearly to our customers, most of what I described here also applies to gadgets created using the PowerGadgets creator. If you have any suggestions on how we can improve please let us know.

JuanC

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...