"Knowledge has to be improved, challenged, and increased constantly, or it vanishes."

Securing sections in Web.Config

For ASP.Net applications, developers usually store lots of configuration data in the Web.Config, some of such settings can contain secured information such as connection strings, email settings, proxy settings etc. Storing credential information in Web.Config as plain text is a threat as this could lead to leak the information. Though the web server will not render web.config files to the visitors, you need to see there could be users, such as system administrators, back  up operators, etc who have access to your server’s file system. Exposing secured information for such users is a threat and you need to protect your configuration data. The solution is to encrypt the sections in Web.Config and thankfully ASP.Net offers out of the box support for encrypting and decrypting the connection string placed inside Web.Config.

In this article I am going to demonstrate, how to encrypt/decrypt the connection string section in Web.Config, you can follow the same concepts to encrypt any other section in web.config. For the purpose of the article, I created an ASP.Net empty web application and added a default.aspx file. The project in solution explorer looks as follows.

image

For the purpose of this article, I created a test database and a table named “test”, and added some sample data to the table. In the web.config I added the connection string. My web.config looks as follows.

image

I added a grid view to the default.aspx page. The source for aspx and aspx.cs is given below.

Default.aspx

image

Default.aspx.cs

image

When I rab the page, I got the below output.

image

This looks so simple, now I am going to encrypt the connection string, in the Web.Config. In order to encrypt the connection string, you need to use the aspnet_regiis tool, which is available under the following location.

%WinDir%\Microsoft.NET\Framework\<versionNumber>

For encrypting the connection string using aspnet_regiis tool, the following parameters are avaialble with the aspnet_regiis

The -pe switch specifies the configuration section to encrypt.

The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.

The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".

The -prov switch specifies the provider name.

For the purpose of this demonstration, I prefer to use –pef option as I can pass a source Web.Config, so I can easily encrypt the web.config, then copy it to my application.

Open command prompt as administrator, then navigate to the path where you installed asp.net. Now enter the aspnet_regiis.exe, mention connectionStrings as the section and then specify the path to your Web.Config.

aspnet_regiis.exe -pef "connectionStrings" "C:\ConnectionStringEncryption"

Once the command is executed successfully, you will see the succeeded message in the Visual Studio.

image

Now check the connection string in the web.config, you will see it is encrypted, Hurray!

image

From a developer perspective, you are not required to change anything as ASP.Net will handle the decryption of the connection string. I just ran the application again and received the same output as above. The whole purpose of creating the default.aspx page was to show you how simply ASP.Net handles the encryption and decryption without worrying the developer. When you move the site to production, you can decide what sections of your Web.Config needs to be encrypted, and do that with out changing even single line in your code.

In this article we have seen how to encrypt connection string, now what if you need to encrypt other sections, the answer is simple, just specify the path of your settings in the Aspnet_regiis command. For e.g. to encrypt the smtp settings, just use the below.

aspnet_regiis.exe -pef "system.net/emailSettings/smtp" "C:\ConnectionStringEncryption"

Summary

ASP.Net makes it easy to protect your configuration data easily without adding any hassles to the developer. As a developer you should not worry about the encryption/decryption of your settings as ASP.Net will take care of this.

Further reading:

http://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.100%29.aspx

11 Comments

  • Good read...

  • While encryped is it safe to edit other sections in the web.config file?

  • the other sections that are not encrypted is not safe, so if other sections contains confidential data, it is better to encrypt those sections too.

  • hello

    i want to ask

    where is key encryption location (locationl store) after execute aspnet_regiis with cmd?


    thanks

  • nhà băng hay một vài nơi có lực số lượng bảo vệ người tiêu dùng cũng có thể vô để sử dụng tính năng rút kinh phí không có

  • ví da cá sấu may viền: Đây là loại that lung ca sau kiểu Hàn Quốc, loại that lung ca sau sau khi ép keo, sơn viền sẽ được đưa lên máy may viền bằng chỉ dù, that lung ca sau may viền sẽ ít bị bung keo hơn.

  • Máy photocopy ricoh một trong những dòng sản phẩm có chất lượng vượt trội bền bỉ với thời gian. Được thành lập từ những năm đầu của ngành công nghiệp, máy photocopy Ricoh luôn mang đến trải nghiệm người dùng một cách tốt nhất

  • Theo chiêm nghiệm của giới chơi lô đề chuyên nghiệp, đánh nhau là số 03 – 07 – 59.

  • The unique set of 220-1101 dumps is the easiest and the most rewarding content, you ever found on any web page. Your success is guaranteed! The questions and answers format of our dumps is rich with information and provides you also CompTIA A+ Certification Exam: Core 1 latest lab help, enhancing your exam skills. The content is approved by the most distinguished professionals and revised and updated by our experts on regular basis. With these brilliant features it is rated as the most worthwhile, informative and highly exam relevant. In all respects, you will find the 220-1101 dumps compatible to your actual preparatory needs. The language is simple and the content is engaging and easy. No more, 220-1101 exam is a nightmare.

  • Integration architecture is the backbone of modern technological infrastructure, enabling seamless communication and interaction between disparate systems. At the heart of this architecture lies the Integration-Architect, a crucial role responsible for designing, implementing, and maintaining integrations within an organization. In this comprehensive guide, we delve deep into the realm of Integration-Architect, answering pertinent questions and shedding light on its significance in today's digital landscape.

  • Ace4Sure offers comprehensive exam preparation materials for various certifications, focusing on high-quality braindumps that cover essential syllabus topics. Their resources are designed to save time and ensure success on the first attempt, featuring practice questions, answers, and a robust testing engine that simulates real exam conditions.
    Click Here for Your Success: https://www.ace4sure.com/NSE7_EFW-7-2-questions.html
    <a href="https://www.ace4sure.com/NSE7_EFW-7-2-questions.html">https://www.ace4sure.com/NSE7_EFW-7-2-questions.html</a>

Add a Comment

As it will appear on the website

Not displayed

Your website