This may sound elementary, but I have to answer questions from an auditor. We have a standard IIS Asp.Net site using Sql-Server. We have encrypted the connection strings in web.config, but it seems to me this only protects the web.config file itself, since decryption is done right on the same IIS machine for ASP.Net to use to authenticate to sql-server.
The question I'm being asked, and have never given it much thought, is: When IIS authenticates with Sql-Server, are the now-decrypted credentials sent to sql-server in cleartext? Or is there some sort of out-of-the-box standard encrypted method in which IIS authenticates with Sql-Server? If so, how strong is the method used? Thanks, James
Aucun commentaire:
Enregistrer un commentaire