My company is SOX complaint. One of our requirments is to not allow clear text passwords in any web.config file.
As I understand it, When developers access Vault through the Vault Client tool, the Vualt web.config on the web server is called. IN the web.config is a connection astring to the database.
This is ours
<add key="ConnectString" value="Application Name='SourceGear Vault Server'; Connection Reset='false'; Server=myDBServer; Database=sgvault; Integrated Security='true';app=Vault" />
I see where the User ID and Password key/values are not prssent.
But we will not be using the Identity Switcher in production.
We do have our own decryption code so the Integrated Security='true' tab won't work for us.
So can you tell me what web service is called before the DB is called. See I want to add a call to my decryption code first and decrypt the password then pass the decrypted password on to your web service.
Thanks
btd
Security in Vault
Moderator: SourceGear
There are two manners of connecting to a SQL Server/MSDE database from within Vault:
- Windows authentication
- SQL Server authentication.
With Windows authentication, the connect string has no password. This can be identified with the text Integrated Security = 'true'
With SQL Server authentication, a plain password is required. However, you are correct that this would be a security risk. Upon installation, the database password is encrypted and stored in encrypted format within the connect string. This can be seen with the use of PWD= in the connect string.
There is no need to encrypt your own password as it has already been done.
- Windows authentication
- SQL Server authentication.
With Windows authentication, the connect string has no password. This can be identified with the text Integrated Security = 'true'
With SQL Server authentication, a plain password is required. However, you are correct that this would be a security risk. Upon installation, the database password is encrypted and stored in encrypted format within the connect string. This can be seen with the use of PWD= in the connect string.
There is no need to encrypt your own password as it has already been done.
Jeff Clausius
SourceGear
SourceGear
Security in Vault
Is there a way to change this web.config AFTER THE FACT.
See I already have Vault installed and we configure it to use Active Directory accounts. Now with our new SOX requirements, AD accounts are no longer valid.
So what do I have to do to change the installation to use Vault accounts and not A/D accounts? And if I make this change, what do I have to do to get the userid and encrypted password in the connection string?
Thanks
btd
See I already have Vault installed and we configure it to use Active Directory accounts. Now with our new SOX requirements, AD accounts are no longer valid.
So what do I have to do to change the installation to use Vault accounts and not A/D accounts? And if I make this change, what do I have to do to get the userid and encrypted password in the connection string?
Thanks
btd
Search In Vault
One more thing...
Right now my Vault web.config file connection string uses Integrated Windows.
How do I change this to use sql account with the encryted password.
Or are you saying the only way to do so is to reinstall?
Thanks
btd
Right now my Vault web.config file connection string uses Integrated Windows.
How do I change this to use sql account with the encryted password.
Or are you saying the only way to do so is to reinstall?
Thanks
btd
Re: Security in Vault
Let's make sure we're on the same page. Active Directory authentication has nothing to do with the connection string used to get to the Vault database. Those are completely different issues.btd wrote:Is there a way to change this web.config AFTER THE FACT.
See I already have Vault installed and we configure it to use Active Directory accounts. Now with our new SOX requirements, AD accounts are no longer valid.
So what do I have to do to change the installation to use Vault accounts and not A/D accounts? And if I make this change, what do I have to do to get the userid and encrypted password in the connection string?
Thanks
btd
However, Active Directory authentication *does* require the Vault service to be run under a Windows based account using identity impersonation.
The security model of ASP.Net originally required the windows user and password to be stored in plain text. However, changes have been made to secure that password.
It is possible to configure Vault to use identity impersonation and secure passwords in the registry, please refer to Microsoft's KB articles on this information:
http://msdn.microsoft.com/library/defau ... ection.asp
http://msdn.microsoft.com/library/defau ... CMCh20.asp
Now, if you do not want to run Active Directory authentication, open Vault's web.config in an editor and remove the xml element <identity impersonate...>, or you can use <identity impersonate="false" />
Once you've correctly modified web.config, you will need to use the Admin Tool and change User's authentication method to use Vault authentication.
Jeff Clausius
SourceGear
SourceGear
Re: Search In Vault
The easiast way is to un-install (keeping the database when prompted), and install (keeping the database when prompted). Otherwise, you will need to contact technical support for help generating the connect string and encrypting the password.btd wrote:One more thing...
Right now my Vault web.config file connection string uses Integrated Windows.
How do I change this to use sql account with the encryted password.
Or are you saying the only way to do so is to reinstall?
Thanks
btd
Jeff Clausius
SourceGear
SourceGear