I currently have a database in MS SQL2008 which is accessed via a VB2008 app on a Local Area network. The password for the database is hardcoded within app.config file in the program. However I want to transfer the database out to the web. To that end I have set up virtual server to host the database and transferred a copy of the database with some dummy data to the site. I have written an ASP 3.5 app to login to that test database. The ASP app lets me have a secure user login via authentication within the web.config file. (SHA1). Works fine and brings me back a selection of records to a gridview. I can also make the connection from the VB2008 LAN app. However, I can not figure out how to make this latter a secure connection as is the case with the ASP program. Note: the VB2008 type app is required as it has a large number of modules for speedy data entry, etc. which will not be incorporated wtihin the web app.
I am not totally clear: Do you want to encrypt the connection to the database, or the connection string for the connection? I suspect the latter, in which case this is a VB.NET application problem not a SQL Server one.
Ok - I'll be really specific:
Are you storing a password in plain text in your app.config file? Is it this that is insecure?
Is your connection to the database unencrypted? Is it this that is insecure?
If neither of these things are what is preventing "secure access to the database", please can you describe very clearly (in different terms) what the present situation is and what you want your final situation to be.
In the VB.NET application the password is in plain text in app config. As the PCs on the LAN are all in a secure area this is sufficiently secure for accessing the data.
On the asp.net version I can encrypt the connection string,(web.config) thereby preventing someone sniffing the login name and password.
Just to be sure you understand - encrypting the connection string in web.config does not encrypt the connection to SQL Server. You understand this right? It does prevent someone reading it from the config file but does not prevent someone intercepting communication between the application and SQL Server.
In other words, whether or not your connection information is encrypted at the client will not affect the security of the connection itself. In order to encrypt the connection you need a trusted certificate on SQL Server and you need to specify encrypted in the connection string.
If I have missed you meaning again I think I'll step out and let someone else have a go since I am clearly not getting it