Secure ADO.NET Connections

Protecting access to your data source is one of the most important goals when working on the security of your application. To help limit access to your data source it is imperative to keep connection information such as userid, password, data source name, etc. private. The following are guidelines for ensuring that critical connection information is kept private.

Avoid Storing Userids and Passwords in Plain Text

Storing a userid and password in plain text presents a serious vulnerability. If the userid and password are a part of your source code, they are vulnerable if your source code is ever compromised. Even if you supply a compiled version of your code to an external source, your compiled code can be disassembled and the userid and password will be exposed. As a result, it is imperative that critical information such as a userid and password not exist in your code in plain text.

Some options available to you to keep userid and password information private are to use cryptography (see Cryptographic Services), though you still need to take care when storing key information, and storing secret information separate from your application, but tightly protected using NTFS permissions.

When connecting to Microsoft SQL Server, you also have the option to use Integrated Security, which uses the identity of the current active user rather than passing a userid and password. . Using Integrated Security is highly recommended.

Note   ASP.NET developers need to pay special attention when using Integrated Security. For information on controlling the identity of the current active user in an ASP.NET application, see ASP.NET Impersonation.

You can supply connection information for an OleDbConnection using a Universal Data Link (UDL) file. Because a UDL file is an external resource to your application, you should protect UDL files using New Technologies File System (NTFS) file permissions to guard against connection information being exposed or modified. Also, be sure to provide a fully qualified path to a UDL file to ensure that the correct UDL file is used for the connection.

UDL files are not encrypted. If you want to further help protect the security of your connection information using cryptography, you will not be able to use a UDL file to supply connection string information.

Keep Persist Security Info as False

Setting Persist Security Info to true or yes will allow security-sensitive information, including the userid and password, to be obtained from the connection after the connection has been opened. If you are supplying a userid and password when making a connection, you are most protected if that information is used to open the connection, and then discarded. As a result, your option that helps to provide greater security is to set Persist Security Info to false or no.

This is especially important if you are supplying an open connection to an untrusted source or persisting connection information to disk. Keeping Persist Security Info as false helps ensure that the untrusted source does not have access to the security-sensitive information for your connection and also helps ensure that no security-sensitive information is persisted to disk with your connection string information.

Persist Security Info is false by default.

Use Caution When Constructing Connection Strings from User Input

If you take connection string information from an external source, such as a user supplying a userid and password, you must take care to ensure that the values you use to construct your connection string do not contain additional connection string parameters that change the behavior of your connection. To keep your connection string secure, validate any input from an external source to ensure that it follows the correct format.

Validating Input

Regular expressions can be used to validate that input matches a particular format. The .NET Framework provides the Regex object to validate a value against a regular expression. For example, the following ensures that a userid value is an 8-character alphanumeric string.

Public Static Function ValidateUserid(inString As String) As Boolean
  Dim r As Regex = New Regex("^[A-Za-z0-9]{8}$")
  Return r.IsMatch(inString)
End Function
public static bool ValidateUserid(string inString)
  Regex r = new Regex("^[A-Za-z0-9]{8}$");
  return r.IsMatch(inString)

See Also

Writing Secure ADO.NET Code