Jump to content
Software FX Community

Security of Connection strings


jhb
 Share

Recommended Posts

Hi,

 I can see myself recommending this to my customers esp. the cool real time monitoring type gadgets.

The only concern I have is that the ps1 scripts the users run have exposed the database connection strings.

Has anyone architected a way round this? eg encryption or something?

 Cheers,

John

Link to comment
Share on other sites

I am assuming that by "exposed the database connection strings" you are talking about the user and password info. When you are using invoke-sql we support 2 scenarios where this information is securely handled

a) Using Windows Authentication: by using your windows credentials your PS1 will contain no user information and you will not get any additional prompts.

B) Using the -credential parameter: Support for this feature was added recently and allows you to specify only the user name with the powershell standard credential handling taking care of prompting for the password. Using this approach will result in an additional prompt for a password but will keep your information confidential.

Note that we could provide a tool to encrypt the connection string but we feel this will give users a false sense of security. In order to decrypt it on any machine we would have to include the private key in our exe so it would be just a matter of time before somebody exposes it and renders this encryption useless.

So if you are coming from the powershell approach we offer 2 secure ways where your password is not compromised. Still there are probably millions of users who stay away from Windows Authentication and reuse a common security credential for all clients. These users can hardcode the password in the PS1 and as long as they keep the PS1 files in a secure location this approach will not expose anything they are not already exposing with the single-credential client app.

Note also that if you are running PS1 scripts, Powershell supports digitally signing those strings to protect you from running scripts from an untrusted source but it does not support encrypting the scripts to protect the information in them.

To summarize we are trying to strike a balance between security and usability and we are hoping we expose this clearly to our customers, most of what I described here also applies to gadgets created using the PowerGadgets creator. If you have any suggestions on how we can improve please let us know.

JuanC

Link to comment
Share on other sites

Check this guy's Nov 4th blog entry (he also has a link to Lee Holmes blog, but not directly to a particular entry):

http://abhishek225.spaces.live.com/

JuanC provides a lot of valuable information.

Other possibilities are using a read-only account as a final resort.  If the account does get compromised, one will be very limited in any damage that might be done.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...