Securing sections in Web.Config

Monday, July 14, 2014

For ASP.Net applications, developers usually store lots of configuration data in the Web.Config, some of such settings can contain secured information such as connection strings, email settings, proxy settings etc. Storing credential information in Web.Config as plain text is a threat as this could lead to leak the information. Though the web server will not render web.config files to the visitors, you need to see there could be users, such as system administrators, back up operators, etc who have access to your server’s file system. Exposing secured information for such users is a threat and you need to protect your configuration data. The solution is to encrypt the sections in Web.Config and thankfully ASP.Net offers out of the box support for encrypting and decrypting the connection string placed inside Web.Config.

In this article I am going to demonstrate, how to encrypt/decrypt the connection string section in Web.Config, you can follow the same concepts to encrypt any other section in web.config. For the purpose of the article, I created an ASP.Net empty web application and added a default.aspx file. The project in solution explorer looks as follows.

For the purpose of this article, I created a test database and a table named “test”, and added some sample data to the table. In the web.config I added the connection string. My web.config looks as follows.

I added a grid view to the default.aspx page. The source for aspx and aspx.cs is given below.

Default.aspx

Default.aspx.cs

When I rab the page, I got the below output.

This looks so simple, now I am going to encrypt the connection string, in the Web.Config. In order to encrypt the connection string, you need to use the aspnet_regiis tool, which is available under the following location.

%WinDir%\Microsoft.NET\Framework\<versionNumber>

For encrypting the connection string using aspnet_regiis tool, the following parameters are avaialble with the aspnet_regiis

The -pe switch specifies the configuration section to encrypt.
The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.
The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".
The -prov switch specifies the provider name.

For the purpose of this demonstration, I prefer to use –pef option as I can pass a source Web.Config, so I can easily encrypt the web.config, then copy it to my application.

Open command prompt as administrator, then navigate to the path where you installed asp.net. Now enter the aspnet_regiis.exe, mention connectionStrings as the section and then specify the path to your Web.Config.

aspnet_regiis.exe -pef "connectionStrings" "C:\ConnectionStringEncryption"

Once the command is executed successfully, you will see the succeeded message in the Visual Studio.

Now check the connection string in the web.config, you will see it is encrypted, Hurray!

From a developer perspective, you are not required to change anything as ASP.Net will handle the decryption of the connection string. I just ran the application again and received the same output as above. The whole purpose of creating the default.aspx page was to show you how simply ASP.Net handles the encryption and decryption without worrying the developer. When you move the site to production, you can decide what sections of your Web.Config needs to be encrypted, and do that with out changing even single line in your code.

In this article we have seen how to encrypt connection string, now what if you need to encrypt other sections, the answer is simple, just specify the path of your settings in the Aspnet_regiis command. For e.g. to encrypt the smtp settings, just use the below.

aspnet_regiis.exe -pef "system.net/emailSettings/smtp" "C:\ConnectionStringEncryption"

Summary

ASP.Net makes it easy to protect your configuration data easily without adding any hassles to the developer. As a developer you should not worry about the encryption/decryption of your settings as ASP.Net will take care of this.

Further reading:

http://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.100%29.aspx

11 Comments

Good read...

Al Sayyar - Tuesday, July 15, 2014 7:13:11 AM

While encryped is it safe to edit other sections in the web.config file?

בניית אתרים - Tuesday, November 11, 2014 8:11:25 AM

the other sections that are not encrypted is not safe, so if other sections contains confidential data, it is better to encrypt those sections too.

sreejukg - Wednesday, November 12, 2014 8:42:21 AM

hello

i want to ask

where is key encryption location (locationl store) after execute aspnet_regiis with cmd?

thanks

noph_ - Thursday, November 12, 2015 12:06:10 PM

nhà băng hay một vài nơi có lực số lượng bảo vệ người tiêu dùng cũng có thể vô để sử dụng tính năng rút kinh phí không có

Thuốc tăng cường sinh lý nam - Sunday, January 22, 2017 9:57:14 AM

ví da cá sấu may viền: Đây là loại that lung ca sau kiểu Hàn Quốc, loại that lung ca sau sau khi ép keo, sơn viền sẽ được đưa lên máy may viền bằng chỉ dù, that lung ca sau may viền sẽ ít bị bung keo hơn.

vi da ca sau - Friday, March 3, 2017 10:49:20 PM

Máy photocopy ricoh một trong những dòng sản phẩm có chất lượng vượt trội bền bỉ với thời gian. Được thành lập từ những năm đầu của ngành công nghiệp, máy photocopy Ricoh luôn mang đến trải nghiệm người dùng một cách tốt nhất

hai minh co - Monday, March 6, 2017 2:17:46 AM

Theo chiêm nghiệm của giới chơi lô đề chuyên nghiệp, đánh nhau là số 03 – 07 – 59.

mơ đánh nhau - Friday, September 22, 2017 10:58:10 AM

The unique set of 220-1101 dumps is the easiest and the most rewarding content, you ever found on any web page. Your success is guaranteed! The questions and answers format of our dumps is rich with information and provides you also CompTIA A+ Certification Exam: Core 1 latest lab help, enhancing your exam skills. The content is approved by the most distinguished professionals and revised and updated by our experts on regular basis. With these brilliant features it is rated as the most worthwhile, informative and highly exam relevant. In all respects, you will find the 220-1101 dumps compatible to your actual preparatory needs. The language is simple and the content is engaging and easy. No more, 220-1101 exam is a nightmare.

CompTIA 220-1101 Dumps Questions - Monday, February 19, 2024 10:10:37 AM

Integration architecture is the backbone of modern technological infrastructure, enabling seamless communication and interaction between disparate systems. At the heart of this architecture lies the Integration-Architect, a crucial role responsible for designing, implementing, and maintaining integrations within an organization. In this comprehensive guide, we delve deep into the realm of Integration-Architect, answering pertinent questions and shedding light on its significance in today's digital landscape.

Integration-Architect Questions and Answers - Tuesday, March 26, 2024 5:09:58 AM

Ace4Sure offers comprehensive exam preparation materials for various certifications, focusing on high-quality braindumps that cover essential syllabus topics. Their resources are designed to save time and ensure success on the first attempt, featuring practice questions, answers, and a robust testing engine that simulates real exam conditions.
Click Here for Your Success: https://www.ace4sure.com/NSE7_EFW-7-2-questions.html
<a href="https://www.ace4sure.com/NSE7_EFW-7-2-questions.html">https://www.ace4sure.com/NSE7_EFW-7-2-questions.html</a>

williamanderson - Monday, June 10, 2024 10:37:51 AM