ADO.NET Security Recommendations

ADO.NET Security Recommendations concentrates on the following areas.
Authentication Modes 
Connection String Options
Authentication Modes
Use Windows Authentication over SQL Authentication 

1.      Security is easier to manage 

2.      User names and Passwords are not needed in Connection Strings 

3.      Logon Security Improves through password expiration periods, minimum lengths and account lockout after multiple invalid logon request. 

4.      Passwords are not sent as clear text over network

         Avoid Impersonation in the Middle-Tier for better connection Pooling

         Consider 2 Accounts for Impersonation - One account for Reads and Other for Writes

         Windows Authentication takes longer to Open pooled connection than SQL authentication

Connection String Options

         Connection string can be stored in  

1.      XML Configuration files

2.      UDL file for OLEDB Provider

3.      COM+ Catalog for serviced components

4.      Windows registry

5.      Custom files

         Use Windows Authentication It does not require password to be stored.

         Encrypt connection string in XML

         Can restrict access to connection string stored in registry by using ACLs and encrypting Data

         Set Persist Security Info to false to avoid security-sensitive details, such as the password from being returned by means of ConnectionString property of the SQLConnection or OleDbconnection.