«

Hello All,

I have an asp.net application hosting in IIS 6.0 which talks to a database
in another DMZ (with firwall installed in between). I know that I can enrypt
and decrypt my connection string into web server's registry instead of plain
text in web.config ,but I was just thinking that once the app want to talk
to database ,does it send the connection string in plain text agian OR I
have to take extra steps to secure that too? Could you please guide me to a
good article explaining this?

Thanks a lot

depends on the database and what is in the connection string. some databases
(say sqlserver) can be configured to connect over ssl, or can't. also is the
username/password in the connect string?

also when you open the firewall for IIS to talk to the database, you might
only allow point to point, and pick a custom port.

-- bruce (sqlwork.com)



"Fariba" <> wrote in message
news:...
> Hello All,
>
> I have an asp.net application hosting in IIS 6.0 which talks to a database
> in another DMZ (with firwall installed in between). I know that I can
> enrypt
> and decrypt my connection string into web server's registry instead of
> plain
> text in web.config ,but I was just thinking that once the app want to talk
> to database ,does it send the connection string in plain text agian OR I
> have to take extra steps to secure that too? Could you please guide me to
> a
> good article explaining this?
>
> Thanks a lot
>
>

Hi Bruce,

Database is sql server .Username and password is in connection string.
Could you please elaborate more on this:
> also when you open the firewall for IIS to talk to the database, you might
> only allow point to point, and pick a custom port.


Thanks a lot for your nice reply.

"Bruce Barker" <brubar_nospamplease_@safeco.com> wrote in message
news:...
> depends on the database and what is in the connection string. some
> databases (say sqlserver) can be configured to connect over ssl, or can't.
> also is the username/password in the connect string?
>
> also when you open the firewall for IIS to talk to the database, you might
> only allow point to point, and pick a custom port.
>
> -- bruce (sqlwork.com)
>
>
>
> "Fariba" <> wrote in message
> news:...
>> Hello All,
>>
>> I have an asp.net application hosting in IIS 6.0 which talks to a
>> database
>> in another DMZ (with firwall installed in between). I know that I can
>> enrypt
>> and decrypt my connection string into web server's registry instead of
>> plain
>> text in web.config ,but I was just thinking that once the app want to
>> talk
>> to database ,does it send the connection string in plain text agian OR I
>> have to take extra steps to secure that too? Could you please guide me to
>> a
>> good article explaining this?
>>
>> Thanks a lot
>>
>>
>
>

Thus wrote Fariba,

> Hello All,
>
> I have an asp.net application hosting in IIS 6.0 which talks to a
> database in another DMZ (with firwall installed in between). I know
> that I can enrypt and decrypt my connection string into web server's
> registry instead of plain text in web.config ,but I was just thinking
> that once the app want to talk to database ,does it send the
> connection string in plain text agian OR I have to take extra steps to
> secure that too? Could you please guide me to a good article
> explaining this?

See http://msdn.microsoft.com/practices/...SecNetch12.asp

Cheers,
--
Joerg Jooss
news-