0

Been building a WP7 app and now I need it to communicate to a WCF service I made to make changes to an SQL database. I am a little concerned about security as the user name and password for accessing the SQL database is in the App.Config. I have read in places that you can encrypt the user name and password in the config file.

As the username and password is never exposed to the clients connected to the WCF service, would security in my situation be much of a problem?

Just in case anyone suggests a method of security, I do not have SSL on my web server.

Gaz83
  • 275
  • 3
  • 9

1 Answers1

3

Having a database username and password in App.Config is a risk if your server is compromised and someone is able to access the config file.

Yes, you can encrypt sections of App.Config: have a read of Encrypting Configuration Information Using Protected Configuration on MSDN.

However a simpler method, and the one which I believe is Microsoft's recommended practice, is to use Windows authentication on your database rather than SQL authentication. Grant the Windows account that your WCF service runs under the access it needs to do it's database reads and writes (and no more), and modify the connection string in your App.Config to Integrated Security=SSPI. No username and password in the config file any more.

Carson63000
  • 10,510
  • 1
  • 28
  • 50
  • thanks for that, I will look into it and get back if I get it to work or have issues. – Gaz83 Jul 15 '12 at 16:53
  • Sorry for the late reply, it looks like I may have to change my hosting package as my current package does not allow me to use windows authentication. – Gaz83 Aug 06 '12 at 12:18
  • 2
    Be careful when you use Windows security because some services could be used from non-Windows clients. – NoChance Sep 14 '12 at 03:03