Been building a WP7 app and now I need it to communicate to a WCF service I made to make changes to an SQL database. I am a little concerned about security as the user name and password for accessing the SQL database is in the App.Config. I have read in places that you can encrypt the user name and password in the config file.
As the username and password is never exposed to the clients connected to the WCF service, would security in my situation be much of a problem?
Just in case anyone suggests a method of security, I do not have SSL on my web server.
Best Answer
Having a database username and password in App.Config is a risk if your server is compromised and someone is able to access the config file.
Yes, you can encrypt sections of App.Config: have a read of Encrypting Configuration Information Using Protected Configuration on MSDN.
However a simpler method, and the one which I believe is Microsoft's recommended practice, is to use Windows authentication on your database rather than SQL authentication. Grant the Windows account that your WCF service runs under the access it needs to do it's database reads and writes (and no more), and modify the connection string in your App.Config to
Integrated Security=SSPI. No username and password in the config file any more.