You work as a Microsoft ASP.NET developer at Domain.com. Domain.com uses the Microsoft Visual Studio .NET 2005 as their application development platform. The Domain.com network contains an SQL Server 2005 database server named Certkiller -DB01 and a Web server named Certkiller -SR15. Certkiller -DB01 hosts a database named CKFinance that is accessed by an in-house Web application. The Web application is hosted on Certkiller -SR15 and uses SQL Server authentication to access the CKFinance database. Several Domain.com users in the Sales department have access to Certkiller -SR15 but do not have permission to access the CKFinance database. You need to ensure that the Domain.com users who should not have access to the CKFinance database cannot use the Web application to access the database.
What should you do?
A.
Add code that verifies the user’s permissions in each request before accessing the data in the CKFinance database.
B.
Store the database connection string in a Web.config file and encrypt the section that contains the connection string.
C.
Add code that calls a secure Web service that returns the database connection string.
D.
Store the database connection string in code so that it can be complied into an assembly.
Explanation:
The threat in this scenario is that users who have access to Certkiller -SR15 can locate the connection string and use the information in the connection string to access the database. You need to encrypt the connection string to prevent users from using the information contained in it. This can only be done if you store the connection string in the Web.config file and encrypt the section that contains the connection string. Then only user accounts with the required permission to access the key container can decrypt the connection string.
Incorrect Answers:
A: Verifying user permissions at the Web application level does not prevent users who have access to Certkiller -SR15 from locating the connection string and using the information in the connection string to manually access the database. C, D: Assemblies can be reversed engineered to retrieve the code contained within them.