Chapter 70. How to Store Secrets on a Machine

This has got to be one of the most frequently asked questions I get when I teach security classes: “How should I store my connection strings on the Web server?” It doesn't always take that exact form, but a lot of people out there need to store sensitive data on Web servers and other often-attacked machines. It's a tricky problem with no perfect answers.

Here's the deal. Imagine a Web server that needs a password to connect to some back-end machine running on a platform where Kerberos authentication isn't an option. The server process will need to read that password at some point, and therein lies the problem. Any data that can be read by the server process can be read by an attacker who can compromise ...

Get The .NET Developer's Guide to Windows Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.