Hello all,
Pls guide me how to publish my winform application through visual studio 2022 , as i have user id and password of my sql databse in app.config file , i need you help to publish my winform application in a most secured way .
How to publish winform application
@ravikumar-1532, Welcome to Microsoft Q&A, you could refer to the Microsoft doc Deploy a .NET Windows desktop application using ClickOnce to publish the winform app by using clickonce. However, I have a question about publish my winform application in a most secured way. Could you give an example about the secured way?
Hi @JackJJun-MSFT : Thank you so much for your reply ..secure in the sense the end user mustn't access my app.config file ..
@@ravikumar-1532, Sorry I still don't understand what you mean, is it that all users except you can't access this app.config file. if so, how do you ensure that you can access this app.config file? It will be better for me to analyze your problem to provide a example.
,
It sounds like your application is not running by trusted users. Better not expose your database server to them, use a web service as a proxy instead.
Addressing app.config security, perhaps the following may assist.
using System;
using System.Configuration;
using System.IO;
namespace SecureConnection
{
public class Protection
{
public string FileName { get; set; }
public Protection(string executableFileName)
{
if (!(File.Exists(string.Concat(executableFileName, ".config"))))
{
throw new FileNotFoundException(string.Concat(executableFileName, ".config"));
}
FileName = executableFileName;
}
private bool EncryptConnectionString(bool encrypt, string fileName)
{
bool success = true;
Configuration configuration = null;
try
{
configuration = ConfigurationManager.OpenExeConfiguration(fileName);
var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;
if ((!configSection.ElementInformation.IsLocked) && (!configSection.SectionInformation.IsLocked))
{
if (encrypt && (!configSection.SectionInformation.IsProtected))
{
// encrypt the file
configSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
}
if ((!encrypt) && configSection.SectionInformation.IsProtected) //encrypt is true so encrypt
{
// decrypt the file.
configSection.SectionInformation.UnprotectSection();
}
configSection.SectionInformation.ForceSave = true;
configuration.Save();
success = true;
}
}
catch (Exception)
{
success = false;
}
return success;
}
public bool IsProtected()
{
var configuration = ConfigurationManager.OpenExeConfiguration(FileName);
var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;
return configSection.SectionInformation.IsProtected;
}
public bool EncryptFile() => File.Exists(FileName) && EncryptConnectionString(true, FileName);
public bool DecryptFile() => File.Exists(FileName) && EncryptConnectionString(false, FileName);
}
}
encrypting the appsettings is not a secure solution in this case.
as the encryption must be done on the user machine under their account, it would require that the password be a variable in program (then why use app settings), or the user enter it, or the app ship with an unencrypted app settings, that is encrypted the first time used, or the installer program encrypt. still not very secure.
because the user has the key, they can always decrypt themselves, so at best this is obfuscation.
if you pre-encrypt the appsettings, then the program must have the key store internally, and thus available via decompiling.
as suggested the best options are to have the user login to sqlserver as themselves, or use a webapi as a proxy. if you allow them to login as themselves, you should use stored procs, and have the procs validate their security, the same with the webapi.
11 people are following this question.
