"Knowledge has to be improved, challenged, and increased constantly, or it vanishes."

Securing sections in Web.Config

For ASP.Net applications, developers usually store lots of configuration data in the Web.Config, some of such settings can contain secured information such as connection strings, email settings, proxy settings etc. Storing credential information in Web.Config as plain text is a threat as this could lead to leak the information. Though the web server will not render web.config files to the visitors, you need to see there could be users, such as system administrators, back  up operators, etc who have access to your server’s file system. Exposing secured information for such users is a threat and you need to protect your configuration data. The solution is to encrypt the sections in Web.Config and thankfully ASP.Net offers out of the box support for encrypting and decrypting the connection string placed inside Web.Config.

In this article I am going to demonstrate, how to encrypt/decrypt the connection string section in Web.Config, you can follow the same concepts to encrypt any other section in web.config. For the purpose of the article, I created an ASP.Net empty web application and added a default.aspx file. The project in solution explorer looks as follows.

image

For the purpose of this article, I created a test database and a table named “test”, and added some sample data to the table. In the web.config I added the connection string. My web.config looks as follows.

image

I added a grid view to the default.aspx page. The source for aspx and aspx.cs is given below.

Default.aspx

image

Default.aspx.cs

image

When I rab the page, I got the below output.

image

This looks so simple, now I am going to encrypt the connection string, in the Web.Config. In order to encrypt the connection string, you need to use the aspnet_regiis tool, which is available under the following location.

%WinDir%\Microsoft.NET\Framework\<versionNumber>

For encrypting the connection string using aspnet_regiis tool, the following parameters are avaialble with the aspnet_regiis

The -pe switch specifies the configuration section to encrypt.

The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.

The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".

The -prov switch specifies the provider name.

For the purpose of this demonstration, I prefer to use –pef option as I can pass a source Web.Config, so I can easily encrypt the web.config, then copy it to my application.

Open command prompt as administrator, then navigate to the path where you installed asp.net. Now enter the aspnet_regiis.exe, mention connectionStrings as the section and then specify the path to your Web.Config.

aspnet_regiis.exe -pef "connectionStrings" "C:\ConnectionStringEncryption"

Once the command is executed successfully, you will see the succeeded message in the Visual Studio.

image

Now check the connection string in the web.config, you will see it is encrypted, Hurray!

image

From a developer perspective, you are not required to change anything as ASP.Net will handle the decryption of the connection string. I just ran the application again and received the same output as above. The whole purpose of creating the default.aspx page was to show you how simply ASP.Net handles the encryption and decryption without worrying the developer. When you move the site to production, you can decide what sections of your Web.Config needs to be encrypted, and do that with out changing even single line in your code.

In this article we have seen how to encrypt connection string, now what if you need to encrypt other sections, the answer is simple, just specify the path of your settings in the Aspnet_regiis command. For e.g. to encrypt the smtp settings, just use the below.

aspnet_regiis.exe -pef "system.net/emailSettings/smtp" "C:\ConnectionStringEncryption"

Summary

ASP.Net makes it easy to protect your configuration data easily without adding any hassles to the developer. As a developer you should not worry about the encryption/decryption of your settings as ASP.Net will take care of this.

Further reading:

http://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.100%29.aspx

14 Comments

  • Good read...

  • While encryped is it safe to edit other sections in the web.config file?

  • the other sections that are not encrypted is not safe, so if other sections contains confidential data, it is better to encrypt those sections too.

  • hello

    i want to ask

    where is key encryption location (locationl store) after execute aspnet_regiis with cmd?


    thanks

  • nhà băng hay một vài nơi có lực số lượng bảo vệ người tiêu dùng cũng có thể vô để sử dụng tính năng rút kinh phí không có

  • ví da cá sấu may viền: Đây là loại that lung ca sau kiểu Hàn Quốc, loại that lung ca sau sau khi ép keo, sơn viền sẽ được đưa lên máy may viền bằng chỉ dù, that lung ca sau may viền sẽ ít bị bung keo hơn.

  • Máy photocopy ricoh một trong những dòng sản phẩm có chất lượng vượt trội bền bỉ với thời gian. Được thành lập từ những năm đầu của ngành công nghiệp, máy photocopy Ricoh luôn mang đến trải nghiệm người dùng một cách tốt nhất

  • Theo chiêm nghiệm của giới chơi lô đề chuyên nghiệp, đánh nhau là số 03 – 07 – 59.

  • The unique set of 220-1101 dumps is the easiest and the most rewarding content, you ever found on any web page. Your success is guaranteed! The questions and answers format of our dumps is rich with information and provides you also CompTIA A+ Certification Exam: Core 1 latest lab help, enhancing your exam skills. The content is approved by the most distinguished professionals and revised and updated by our experts on regular basis. With these brilliant features it is rated as the most worthwhile, informative and highly exam relevant. In all respects, you will find the 220-1101 dumps compatible to your actual preparatory needs. The language is simple and the content is engaging and easy. No more, 220-1101 exam is a nightmare.

  • Integration architecture is the backbone of modern technological infrastructure, enabling seamless communication and interaction between disparate systems. At the heart of this architecture lies the Integration-Architect, a crucial role responsible for designing, implementing, and maintaining integrations within an organization. In this comprehensive guide, we delve deep into the realm of Integration-Architect, answering pertinent questions and shedding light on its significance in today's digital landscape.

  • Ace4Sure offers comprehensive exam preparation materials for various certifications, focusing on high-quality braindumps that cover essential syllabus topics. Their resources are designed to save time and ensure success on the first attempt, featuring practice questions, answers, and a robust testing engine that simulates real exam conditions.
    Click Here for Your Success: https://www.ace4sure.com/NSE7_EFW-7-2-questions.html
    <a href="https://www.ace4sure.com/NSE7_EFW-7-2-questions.html">https://www.ace4sure.com/NSE7_EFW-7-2-questions.html</a>

  • Great article! Encrypting sensitive sections in Web.Config is crucial for securing credentials and other confidential data. While ASP.Net provides built-in encryption methods, it's also important to ensure proper access control to the server itself. Additionally, developers should consider using environment variables or external secret management tools for even better security. Looking forward to more security-related insights!

  • This article provides a valuable insight into securing sensitive information stored in Web.Config files for ASP.Net applications. It highlights a significant security risk—storing sensitive credentials like connection strings, email settings, and proxy settings in plain text within the Web.Config. While web servers do not render Web.Config files to visitors, system administrators, backup operators, and others with access to the server's file system can potentially view this sensitive data.

    The article correctly identifies the importance of protecting this information and offers a practical solution: encrypting the relevant sections of the Web.Config file. ASP.Net provides built-in support for encrypting and decrypting configuration sections, such as connection strings, to ensure the confidentiality of sensitive data.

    The demonstration on how to encrypt and decrypt the connection string section is particularly useful, as the same methods can be applied to other sections of the Web.Config. This approach is an essential step toward securing your application and preventing unauthorized access to critical configuration details.

    Overall, this is a crucial and practical guide for developers looking to implement enhanced security measures in their ASP.Net applications.

  • This is a crucial topic for ensuring the security of ASP.Net applications! Storing sensitive information like connection strings and email settings in the Web.Config file in plain text can be a significant security risk. It’s great to know that ASP.Net provides built-in support for encrypting these sections, helping to safeguard important configuration data from unauthorized access. Your demonstration on how to encrypt and decrypt connection strings in the Web.Config is very useful, and the same principles can definitely be applied to other sections that require protection. Thanks for sharing these security best practices!

Add a Comment

As it will appear on the website

Not displayed

Your website