Secure ConnectionString in WinForm Applications

Question

How Can I Secure my ConnectionString in WinForm Application?

Answer 1

You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is, therefore, always possible to retrieve the unencrypted connection string, especially with a managed application (perhaps not for your typical end user, but any skilled developer, or hacker can do this, and even end users can figure this out after a little bit of googling).

The solution to this is to not lean on security by obscurity. Use Windows Integrated Security when connecting to the database using the Windows user account and give the user the minimum amount of rights in the database.

Often though that is still not enough, because it is very hard to secure the database enough when end users are directly connected to the database (often because you need row-level security). For this to work you need to deny access to tables and views and completely fall back to stored procedures.

A better approach, however, is to prevent the desktop application from communicating directly with the database. Instead, use a web service as intermediate layer. In that case you have full control over the security and you can store the connection string securely on the (web) server.