How to publish winform application

Question

How to publish winform application

ravi kumar 331

Hello all,

Pls guide me how to publish my winform application through visual studio 2022 , as i have user id and password of my sql databse in app.config file , i need you help to publish my winform application in a most secured way .

Jack J Jun 25,296 Reputation points

2022-04-25T08:05:07.767+00:00

@ravi kumar , Welcome to Microsoft Q&A, you could refer to the Microsoft doc Deploy a .NET Windows desktop application using ClickOnce to publish the winform app by using clickonce. However, I have a question about publish my winform application in a most secured way. Could you give an example about the secured way？
ravi kumar 331 Reputation points

2022-04-25T08:09:13.29+00:00

Hi @Jack J Jun : Thank you so much for your reply ..secure in the sense the end user mustn't access my app.config file ..
Jack J Jun 25,296 Reputation points

2022-04-25T08:19:00.853+00:00

@@ravi kumar , Sorry I still don't understand what you mean, is it that all users except you can't access this app.config file. if so, how do you ensure that you can access this app.config file? It will be better for me to analyze your problem to provide a example.
,
Sheng Jiang 蒋晟 206 Reputation points

2022-04-26T15:59:04.09+00:00

It sounds like your application is not running by trusted users. Better not expose your database server to them, use a web service as a proxy instead.

2 answers

Your answer

Jack J Jun 25,296 Reputation points

2022-04-25T08:05:07.767+00:00

@ravi kumar , Welcome to Microsoft Q&A, you could refer to the Microsoft doc Deploy a .NET Windows desktop application using ClickOnce to publish the winform app by using clickonce. However, I have a question about publish my winform application in a most secured way. Could you give an example about the secured way？
ravi kumar 331 Reputation points

2022-04-25T08:09:13.29+00:00

Hi @Jack J Jun : Thank you so much for your reply ..secure in the sense the end user mustn't access my app.config file ..
Jack J Jun 25,296 Reputation points

2022-04-25T08:19:00.853+00:00

@@ravi kumar , Sorry I still don't understand what you mean, is it that all users except you can't access this app.config file. if so, how do you ensure that you can access this app.config file? It will be better for me to analyze your problem to provide a example.
,
Sheng Jiang 蒋晟 206 Reputation points

2022-04-26T15:59:04.09+00:00

It sounds like your application is not running by trusted users. Better not expose your database server to them, use a web service as a proxy instead.

Answer 1

Addressing app.config security, perhaps the following may assist.

using System;
using System.Configuration;
using System.IO;

namespace SecureConnection
{
    public class Protection
    {
        public string FileName { get; set; }
        public Protection(string executableFileName)
        {
            if (!(File.Exists(string.Concat(executableFileName, ".config"))))
            {
                throw new FileNotFoundException(string.Concat(executableFileName, ".config"));
            }
            FileName = executableFileName;
        }
        private bool EncryptConnectionString(bool encrypt, string fileName)
        {
            bool success = true;
            Configuration configuration = null;

            try
            {
                configuration = ConfigurationManager.OpenExeConfiguration(fileName);
                var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;

                if ((!configSection.ElementInformation.IsLocked) && (!configSection.SectionInformation.IsLocked))
                {
                    if (encrypt && (!configSection.SectionInformation.IsProtected))
                    {
                        // encrypt the file
                        configSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
                    }

                    if ((!encrypt) && configSection.SectionInformation.IsProtected) //encrypt is true so encrypt
                    {
                        // decrypt the file. 
                        configSection.SectionInformation.UnprotectSection();
                    }

                    configSection.SectionInformation.ForceSave = true;
                    configuration.Save();

                    success = true;

                }
            }
            catch (Exception)
            {
                success = false;
            }

            return success;

        }
        public bool IsProtected()
        {
            var configuration = ConfigurationManager.OpenExeConfiguration(FileName);
            var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;
            return configSection.SectionInformation.IsProtected;
        }
        public bool EncryptFile() => File.Exists(FileName) && EncryptConnectionString(true, FileName);

        public bool DecryptFile() => File.Exists(FileName) && EncryptConnectionString(false, FileName);
    }
}

Answer 2

encrypting the appsettings is not a secure solution in this case.

as the encryption must be done on the user machine under their account, it would require that the password be a variable in program (then why use app settings), or the user enter it, or the app ship with an unencrypted app settings, that is encrypted the first time used, or the installer program encrypt. still not very secure.

because the user has the key, they can always decrypt themselves, so at best this is obfuscation.

if you pre-encrypt the appsettings, then the program must have the key store internally, and thus available via decompiling.

as suggested the best options are to have the user login to sqlserver as themselves, or use a webapi as a proxy. if you allow them to login as themselves, you should use stored procs, and have the procs validate their security, the same with the webapi.

Share via

How to publish winform application

2 answers

Your answer