diff --git a/Lab PA WinForms UI/App.config b/Lab PA WinForms UI/App.config
index d0a68341..3b2e26f5 100644
--- a/Lab PA WinForms UI/App.config
+++ b/Lab PA WinForms UI/App.config
@@ -9,7 +9,7 @@
-
+
@@ -82,19 +82,19 @@
- WTHMCLBILL
+ ${PROD_DB_SERVER}
- LabBillingProd
+ ${PROD_DB_NAME}
- NLog
+ ${PROD_LOG_DB_NAME}
- LabBillingTest
+ ${TEST_DB_NAME}
- WTHMCLBILL
+ ${TEST_DB_SERVER}
True
@@ -103,7 +103,7 @@
True
- NLog
+ ${TEST_LOG_DB_NAME}
diff --git a/Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs b/Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs
index 2dacf460..ae26a5a8 100644
--- a/Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs
+++ b/Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs
@@ -101,7 +101,7 @@ private void InitializeComponent()
billingReportsTsmi.ImageTransparentColor = System.Drawing.Color.Magenta;
billingReportsTsmi.Name = "billingReportsTsmi";
billingReportsTsmi.Size = new System.Drawing.Size(96, 22);
- billingReportsTsmi.Tag = "WTHMCLBILL|MCLLIVE";
+ billingReportsTsmi.Tag = "${DB_SERVER}|${ALTERNATE_SERVER}";
billingReportsTsmi.Text = "Billing Reports";
//
// jCodes80299tsmi
diff --git a/Lab PA WinForms UI/NLog.config b/Lab PA WinForms UI/NLog.config
index 19c9df3a..d7fe1a59 100644
--- a/Lab PA WinForms UI/NLog.config
+++ b/Lab PA WinForms UI/NLog.config
@@ -22,7 +22,7 @@
/>
diff --git a/Lab PA WinForms UI/Properties/Settings.Designer.cs b/Lab PA WinForms UI/Properties/Settings.Designer.cs
index cc7278a6..4215a3ef 100644
--- a/Lab PA WinForms UI/Properties/Settings.Designer.cs
+++ b/Lab PA WinForms UI/Properties/Settings.Designer.cs
@@ -25,7 +25,7 @@ public static Settings Default {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("WTHMCLBILL")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${PROD_DB_SERVER}")]
public string ProdDbServer {
get {
return ((string)(this["ProdDbServer"]));
@@ -34,7 +34,7 @@ public string ProdDbServer {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("LabBillingProd")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${PROD_DB_NAME}")]
public string ProdDbName {
get {
return ((string)(this["ProdDbName"]));
@@ -43,7 +43,7 @@ public string ProdDbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("NLog")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${PROD_LOG_DB_NAME}")]
public string ProdLogDbName {
get {
return ((string)(this["ProdLogDbName"]));
@@ -52,7 +52,7 @@ public string ProdLogDbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("LabBillingTest")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${TEST_DB_NAME}")]
public string TestDbName {
get {
return ((string)(this["TestDbName"]));
@@ -61,7 +61,7 @@ public string TestDbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("WTHMCLBILL")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${TEST_DB_SERVER}")]
public string TestDbServer {
get {
return ((string)(this["TestDbServer"]));
@@ -88,7 +88,7 @@ public bool ProdIntegratedSecurity {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("NLog")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${TEST_LOG_DB_NAME}")]
public string TestLogDbName {
get {
return ((string)(this["TestLogDbName"]));
diff --git a/Lab PA WinForms UI/Properties/Settings.settings b/Lab PA WinForms UI/Properties/Settings.settings
index 96a141f0..6064cd8e 100644
--- a/Lab PA WinForms UI/Properties/Settings.settings
+++ b/Lab PA WinForms UI/Properties/Settings.settings
@@ -3,19 +3,19 @@
- WTHMCLBILL
+ ${PROD_DB_SERVER}
- LabBillingProd
+ ${PROD_DB_NAME}
- NLog
+ ${PROD_LOG_DB_NAME}
- LabBillingTest
+ ${TEST_DB_NAME}
- WTHMCLBILL
+ ${TEST_DB_SERVER}
True
@@ -24,7 +24,7 @@
True
- NLog
+ ${TEST_LOG_DB_NAME}
-
\ No newline at end of file
+
diff --git a/Lab Patient Accounting Job Scheduler/App.config b/Lab Patient Accounting Job Scheduler/App.config
index cf8c2aaf..73b116b8 100644
--- a/Lab Patient Accounting Job Scheduler/App.config
+++ b/Lab Patient Accounting Job Scheduler/App.config
@@ -8,19 +8,19 @@
- WTHMCLBILL
+ ${DB_SERVER}
- LabBillingProd
+ ${DB_NAME}
- NLog
+ ${LOG_DB_NAME}
- interface
+ ${DB_USERNAME}
- 0ac%%$ff0100a
+ ${DB_PASSWORD}
diff --git a/Lab Patient Accounting Job Scheduler/NLog.config b/Lab Patient Accounting Job Scheduler/NLog.config
index a0675a04..9cb190ee 100644
--- a/Lab Patient Accounting Job Scheduler/NLog.config
+++ b/Lab Patient Accounting Job Scheduler/NLog.config
@@ -22,7 +22,7 @@
/>
diff --git a/Lab Patient Accounting Job Scheduler/Settings.Designer.cs b/Lab Patient Accounting Job Scheduler/Settings.Designer.cs
index cbd20d4f..88111cca 100644
--- a/Lab Patient Accounting Job Scheduler/Settings.Designer.cs
+++ b/Lab Patient Accounting Job Scheduler/Settings.Designer.cs
@@ -25,7 +25,7 @@ public static Settings Default {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("WTHMCLBILL")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_SERVER}")]
public string DbServer {
get {
return ((string)(this["DbServer"]));
@@ -34,7 +34,7 @@ public string DbServer {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("LabBillingProd")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_NAME}")]
public string DbName {
get {
return ((string)(this["DbName"]));
@@ -43,7 +43,7 @@ public string DbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("NLog")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${LOG_DB_NAME}")]
public string LogDbName {
get {
return ((string)(this["LogDbName"]));
@@ -52,7 +52,7 @@ public string LogDbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("interface")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_USERNAME}")]
public string Username {
get {
return ((string)(this["Username"]));
@@ -61,7 +61,7 @@ public string Username {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("0ac%%$ff0100a")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_PASSWORD}")]
public string Password {
get {
return ((string)(this["Password"]));
diff --git a/Lab Patient Accounting Job Scheduler/Settings.settings b/Lab Patient Accounting Job Scheduler/Settings.settings
index 09ec7f61..987e32fb 100644
--- a/Lab Patient Accounting Job Scheduler/Settings.settings
+++ b/Lab Patient Accounting Job Scheduler/Settings.settings
@@ -3,19 +3,19 @@
- WTHMCLBILL
+ ${DB_SERVER}
- LabBillingProd
+ ${DB_NAME}
- NLog
+ ${LOG_DB_NAME}
- interface
+ ${DB_USERNAME}
- 0ac%%$ff0100a
+ ${DB_PASSWORD}
\ No newline at end of file
diff --git a/LabBillingConsole/NLog.config b/LabBillingConsole/NLog.config
index e1a4d62e..491cdb39 100644
--- a/LabBillingConsole/NLog.config
+++ b/LabBillingConsole/NLog.config
@@ -22,7 +22,7 @@
/>
diff --git a/LabBillingConsole/Program.cs b/LabBillingConsole/Program.cs
index d2cc6a49..49be7577 100644
--- a/LabBillingConsole/Program.cs
+++ b/LabBillingConsole/Program.cs
@@ -23,8 +23,8 @@ private static bool MainMenuPanel()
StringBuilder dbSelect = new();
dbSelect.AppendLine("Select Database:\n\n");
- dbSelect.AppendLine("1) LabBillingProd");
- dbSelect.AppendLine("2) LabBillingTest (WTMCLBILL)");
+ dbSelect.AppendLine("1) Production Database");
+ dbSelect.AppendLine("2) Test Database");
dbSelect.AppendLine("0) Exit");
var panel1 = new Panel(dbSelect.ToString());
@@ -45,19 +45,24 @@ private static bool MainMenuPanel()
return ValidationResult.Error("Invalid selection.");
}));
- serverName = "WTHMCLBILL";
+ // Get server and database names from environment variables or use defaults
+ string defaultServer = Environment.GetEnvironmentVariable("DB_SERVER") ?? "${DB_SERVER}";
+ string prodDbName = Environment.GetEnvironmentVariable("PROD_DB_NAME") ?? "${PROD_DB_NAME}";
+ string testDbName = Environment.GetEnvironmentVariable("TEST_DB_NAME") ?? "${TEST_DB_NAME}";
+
+ serverName = defaultServer;
switch (menuSelect)
{
case 0:
return false;
case 1:
- databaseName = "LabBillingProd";
- serverName = "WTHMCLBILL";
+ databaseName = prodDbName;
+ serverName = defaultServer;
break;
case 2:
- databaseName = "LabBillingTest";
- serverName = "WTHMCLBILL";
+ databaseName = testDbName;
+ serverName = defaultServer;
break;
default:
return true;
diff --git a/LabBillingService/App.config b/LabBillingService/App.config
index 451dcb96..62fb3117 100644
--- a/LabBillingService/App.config
+++ b/LabBillingService/App.config
@@ -103,23 +103,23 @@
- WTHMCLBILL
+ ${DB_SERVER}
- LabBillingProd
+ ${DB_NAME}
- NLog
+ ${LOG_DB_NAME}
- interface
+ ${DB_USERNAME}
- 0ac%%$ff0100a
+ ${DB_PASSWORD}
diff --git a/LabBillingService/NLog.config b/LabBillingService/NLog.config
index a0675a04..9cb190ee 100644
--- a/LabBillingService/NLog.config
+++ b/LabBillingService/NLog.config
@@ -22,7 +22,7 @@
/>
diff --git a/LabBillingService/Properties/Settings.Designer.cs b/LabBillingService/Properties/Settings.Designer.cs
index eff0bdf5..ca7d1cef 100644
--- a/LabBillingService/Properties/Settings.Designer.cs
+++ b/LabBillingService/Properties/Settings.Designer.cs
@@ -25,7 +25,7 @@ public static Settings Default {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("WTHMCLBILL")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_SERVER}")]
public string DbServer {
get {
return ((string)(this["DbServer"]));
@@ -34,7 +34,7 @@ public string DbServer {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("LabBillingProd")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_NAME}")]
public string DbName {
get {
return ((string)(this["DbName"]));
@@ -43,7 +43,7 @@ public string DbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("NLog")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${LOG_DB_NAME}")]
public string LogDbName {
get {
return ((string)(this["LogDbName"]));
@@ -52,7 +52,7 @@ public string LogDbName {
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("interface")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_USERNAME}")]
public string Username {
get {
return ((string)(this["Username"]));
@@ -61,7 +61,7 @@ public string Username {
[global::System.Configuration.UserScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
- [global::System.Configuration.DefaultSettingValueAttribute("0ac%%$ff0100a")]
+ [global::System.Configuration.DefaultSettingValueAttribute("${DB_PASSWORD}")]
public string Password {
get {
return ((string)(this["Password"]));
diff --git a/LabBillingService/Properties/Settings.settings b/LabBillingService/Properties/Settings.settings
index d367fac8..7bc0c652 100644
--- a/LabBillingService/Properties/Settings.settings
+++ b/LabBillingService/Properties/Settings.settings
@@ -3,19 +3,19 @@
- WTHMCLBILL
+ ${DB_SERVER}
- LabBillingProd
+ ${DB_NAME}
- NLog
+ ${LOG_DB_NAME}
- interface
+ ${DB_USERNAME}
- 0ac%%$ff0100a
+ ${DB_PASSWORD}
\ No newline at end of file
diff --git a/SECURITY_CONFIGURATION_REMEDIATION.md b/SECURITY_CONFIGURATION_REMEDIATION.md
new file mode 100644
index 00000000..366e2bf7
--- /dev/null
+++ b/SECURITY_CONFIGURATION_REMEDIATION.md
@@ -0,0 +1,101 @@
+# Security Configuration Remediation Documentation
+
+## Overview
+This document describes the security remediation performed to remove hardcoded credentials, server names, and database names from configuration files in the Lab Patient Accounting system.
+
+## Changes Made
+
+### Hardcoded Credentials Removed
+- **Password**: `0ac%%$ff0100a` replaced with `${DB_PASSWORD}`
+- **Username**: `interface` replaced with `${DB_USERNAME}`
+- **Server Name**: `WTHMCLBILL` replaced with appropriate environment variable placeholders
+- **Database Names**: Hardcoded database names replaced with environment variable placeholders
+
+### Files Modified
+
+#### Configuration Files (.config)
+- `LabBillingService/App.config`
+- `Lab Patient Accounting Job Scheduler/App.config`
+- `Lab PA WinForms UI/App.config`
+
+#### Settings Files (.settings)
+- `LabBillingService/Properties/Settings.settings`
+- `Lab Patient Accounting Job Scheduler/Settings.settings`
+- `Lab PA WinForms UI/Properties/Settings.settings`
+
+#### Generated Designer Files (.Designer.cs)
+- `LabBillingService/Properties/Settings.Designer.cs`
+- `Lab Patient Accounting Job Scheduler/Settings.Designer.cs`
+- `Lab PA WinForms UI/Properties/Settings.Designer.cs`
+
+#### NLog Configuration Files
+- `Lab Patient Accounting Job Scheduler/NLog.config`
+- `LabBillingService/NLog.config`
+- `Lab PA WinForms UI/NLog.config`
+- `LabBillingConsole/NLog.config`
+
+#### Application Code Files
+- `LabBillingConsole/Program.cs`
+- `Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs`
+
+## Required Environment Variables
+
+The following environment variables must be configured in the deployment environment:
+
+### Database Configuration
+- `DB_SERVER` - Database server hostname/IP (replaces `WTHMCLBILL`)
+- `DB_NAME` - Primary database name (replaces `LabBillingProd`)
+- `DB_USERNAME` - Database username (replaces `interface`)
+- `DB_PASSWORD` - Database password (replaces hardcoded password)
+- `LOG_DB_NAME` - Logging database name (replaces `NLog`)
+
+### Environment-Specific Database Configuration
+- `PROD_DB_SERVER` - Production database server
+- `PROD_DB_NAME` - Production database name
+- `PROD_LOG_DB_NAME` - Production logging database name
+- `TEST_DB_SERVER` - Test database server
+- `TEST_DB_NAME` - Test database name (replaces `LabBillingTest`)
+- `TEST_LOG_DB_NAME` - Test logging database name
+
+### Additional Configuration
+- `ALTERNATE_SERVER` - Alternate server name (replaces `MCLLIVE`)
+
+## Security Improvements
+
+1. **Eliminated Hardcoded Credentials**: All passwords and usernames have been removed from configuration files
+2. **Removed Server Name Exposure**: Database server names are no longer hardcoded in configuration
+3. **Environment-Based Configuration**: Applications now use environment variables for sensitive configuration
+4. **Logging Security**: NLog database connections no longer contain hardcoded credentials
+
+## Deployment Instructions
+
+### For Production Deployment:
+1. Set all required environment variables in the deployment environment
+2. Configure secure credential storage (Azure Key Vault, Windows Credential Manager, etc.)
+3. Update configuration transformation files for different environments
+4. Implement secure connection strings with encryption enabled
+
+### For Development:
+1. Create a `.env` file or set environment variables locally
+2. Use development-specific values for server names and database names
+3. Never commit actual credentials to version control
+
+## Recommended Next Steps
+
+1. **Enable Database Encryption**: Set `Encrypt=true` in connection strings
+2. **Enable Certificate Validation**: Remove `TrustServerCertificate=true`
+3. **Implement Centralized Configuration Management**: Consider Azure App Configuration or similar
+4. **Add Configuration Validation**: Implement startup checks for required environment variables
+5. **Implement Secrets Rotation**: Set up automated credential rotation
+6. **Security Scanning**: Implement automated security scanning in CI/CD pipeline
+
+## Compliance Notes
+
+These changes address critical security vulnerabilities identified in the security configuration analysis:
+- **HIPAA Compliance**: Removes exposure of database credentials in healthcare system
+- **SOX Compliance**: Eliminates hardcoded credentials in financial data processing system
+- **General Security**: Follows security best practices for credential management
+
+## Support
+
+For questions regarding this security remediation or environment variable configuration, please refer to the deployment documentation or contact the development team.
\ No newline at end of file