In ASP.Net web applications, we are used to keep some confidential data in clear text and we do not even care about their importance to the intruders. One of them is the database login credentials, kept in the connectionStrings section of the web configuration (web.config) file.
Recently, I was involved in designing a public secured web application for our customers site. After the implementation was completed, we left the application with our 'IT Security Specialist' to evaluate its secureness. One of his feedbacks was to keep the confidential data encrypted. So, we decided to use the .Net Data Protection API for encrypting the database connection information, i.e. connectionString section in web.config file. I share the details on how to encrypt/decrypt (here I have used the 'machine store' option and it is the good choice when the web site is hosted in a shared environment) the particular section in the file.
- Finish the connectionString section configurations in web.config
- Open command prompt, change the directory to %WinDir%\Microsoft.NET\Framework\<versionNumber>
e.g. C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 - Execute the following command (AppName: virtual directory name of the
application in IIS e.g. myapplication)
aspnet_regiis -pe "connectionStrings" -app "/AppName"
-prov "DataProtectionConfigurationProvider“ - Open web.config file and verify the encrypted section
- Open command prompt, change the directory to %WinDir%\Microsoft.NET\Framework\<versionNumber>
e.g. C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 - Execute the following command (AppName: virtual directory name of the
application in IIS e.g. myapplication)
aspnet_regiis -pd "connectionStrings" -app "/AppName" - Open web.config and the section would be in clear text
