https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28630#M1030 <HTML><HEAD></HEAD><BODY><P>Well they wouldn't be able to open up the .sde connection file with Notepad or anything, as it's a proprietary file, and I tried to copy the password from the password field but it doesn't let me, (doesn't work with CTRL+C either):</P><P></P><P><IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/409057_pastedImage_1.png" /></P><P></P><P>All signs point to "no", they won't be able to get the password.</P></BODY></HTML> Fri, 25 May 2018 18:23:14 GMT JonathanQuinn 2018-05-25T18:23:14Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28629#M1029 <HTML><HEAD></HEAD><BODY><P>I am wondering about the password security in database authenticated connections files (e.g.&nbsp;<SPAN>connection.sde) when the password is saved in the connection&nbsp;file. Are the passwords encrypted&nbsp;in the connection file? In other words would it be possible for a users on the system to extract&nbsp;the password for a database user (like sde!) from a connection file? Not that we have sde user connections sitting around for the average&nbsp;user to stumble&nbsp;across but you get the idea...&nbsp;</SPAN></P><P><SPAN><IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/409053_pastedImage_1.png" /></SPAN></P></BODY></HTML> Fri, 25 May 2018 17:57:16 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28629#M1029 forestknutsen1 2018-05-25T17:57:16Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28630#M1030 <HTML><HEAD></HEAD><BODY><P>Well they wouldn't be able to open up the .sde connection file with Notepad or anything, as it's a proprietary file, and I tried to copy the password from the password field but it doesn't let me, (doesn't work with CTRL+C either):</P><P></P><P><IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/409057_pastedImage_1.png" /></P><P></P><P>All signs point to "no", they won't be able to get the password.</P></BODY></HTML> Fri, 25 May 2018 18:23:14 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28630#M1030 JonathanQuinn 2018-05-25T18:23:14Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28631#M1031 <HTML><HEAD></HEAD><BODY><P>Thanks for the feedback. I did try and open it up with notepad++ and got garbage. I am wondering because the organization that I work for has a lot of the DB power user passwords in a python dictionary as part of our local python package. Then concretions are made with code for our batch jobs using this python module. It feels week to me because any machine that has the module installed has the password deep in the python installation, if someone thought to look there or just bummed into it very bad things could happen. If the esri connection files are safe I would think a better model would be to place the power user DB connections in a folder and limit access to it. Is this how most <SPAN>organization&nbsp;</SPAN>do it?</P></BODY></HTML> Fri, 25 May 2018 19:33:06 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28631#M1031 forestknutsen1 2018-05-25T19:33:06Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28632#M1032 <HTML><HEAD></HEAD><BODY><P>I'll be honest and say I wouldn't consider myself a database administrator nor very familiar with business operations, but I do have some thoughts:</P><P></P><P>1) Storing passwords in plain-text on disk is never a good idea</P><P>2)&nbsp;Saving the password in the connection file and moving the connection file into a location that only authorized users can access is a good idea</P><P>3) Not saving the password in the connection file and requiring users to enter the password can help make sure even if someone does access the connection file, they can't open the database. This doesn't work with batch/automated jobs</P><P>4) Using OS authentication, (<A class="link-titled" href="http://desktop.arcgis.com/en/arcmap/10.3/manage-data/gdbs-in-oracle/connect-oracle.htm" title="http://desktop.arcgis.com/en/arcmap/10.3/manage-data/gdbs-in-oracle/connect-oracle.htm">Connect to Oracle from ArcGIS—Help | ArcGIS Desktop</A>,&nbsp;<A class="link-titled" href="https://docs.oracle.com/cd/B28359_01/win.111/b32010/authen.htm#CHDEDFJI" title="https://docs.oracle.com/cd/B28359_01/win.111/b32010/authen.htm#CHDEDFJI">Authenticating Database Users with Windows</A>), is a good solution as the credentials are pulled from the user running the process connecting through the connection file, (ArcMap, scheduled task through a batch file, ArcGIS Server).</P><P></P><P>Again, no expert on this, but those are my thoughts.</P></BODY></HTML> Fri, 25 May 2018 20:03:00 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28632#M1032 JonathanQuinn 2018-05-25T20:03:00Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28633#M1033 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>Jonathan Quinn wrote:</P><P></P><P>1) Storing passwords in plain-text on disk is never a good idea</P><P>2)&nbsp;Saving the password in the connection file and moving the connection file into a location that only authorized users can access is a good idea</P><P>3) Not saving the password in the connection file and requiring users to enter the password can help make sure even if someone does access the connection file, they can't open the database. This doesn't work with batch/automated jobs</P><P>4) Using OS authentication, (<A class="jive-link-external-small" href="https://community.esri.com/external-link.jspa?url=http%3A%2F%2Fdesktop.arcgis.com%2Fen%2Farcmap%2F10.3%2Fmanage-data%2Fgdbs-in-oracle%2Fconnect-oracle.htm" rel="nofollow" target="_blank">Connect to Oracle from ArcGIS—Help | ArcGIS Desktop</A>,&nbsp;<A class="jive-link-external-small" href="https://community.esri.com/external-link.jspa?url=https%3A%2F%2Fdocs.oracle.com%2Fcd%2FB28359_01%2Fwin.111%2Fb32010%2Fauthen.htm%23CHDEDFJI" rel="nofollow" target="_blank">Authenticating Database Users with Windows</A>), is a good solution as the credentials are pulled from the user running the process connecting through the connection file, (ArcMap, scheduled task through a batch file, ArcGIS Server).</P></BLOCKQUOTE><P>1) Yep, I could not agree more... I think our system needs to change.</P><P>2) This is how we did in my last job that had an enterprise GIS system. I have only been in my new role for a few months. I am no security expert, so when I saw this GIS batch job setup I thought I was&nbsp;potentiality missing some flaw in the arcgis DBA connection file model.</P><P>3) We have this setup for every day admin tasks.</P><P>4) Everyone, save GIS admins, use OSA only.</P><P></P><P>Thanks for the input. I am going to suggest a change to the team...</P></BODY></HTML> Fri, 25 May 2018 21:46:17 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/28633#M1033 forestknutsen1 2018-05-25T21:46:17Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/1180676#M33297 <P>With OS authentication, are you certain it pulls from the OS, and no OS based credentials are stored with the connection file?</P> Tue, 07 Jun 2022 16:23:17 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-database-connection-security/m-p/1180676#M33297 ScottCorwin 2022-06-07T16:23:17Z