path to aspnet_regiis

Discussion in 'ASP .Net Security' started by David Thielen, Dec 10, 2006.

  1. Hi;

    In our installer (we use WIX so the code has to be C++, not C#) we need to
    call aspnet_regiis to encrypt the connection strings in web.config. I have
    three questions about this:

    1) What registry entry can we use to determine the location of
    aspnet_regiis? As not everyone installs to C:, we can't assume the location.

    2) It strikes me that writing the unencrypted connection string to
    web.config and then running aspnet_regiis leaves a security hole - what if
    aspnet_regiis fails? Then it's sitting there in clear text. Is there a way to
    write the connection string out already encrypted?

    3) When we encrypt we need to pass the name of the ASP.NET user. I have
    another post on this but figure it can't hurt to ask here too. How do we get
    that from the system? I don't want to ask the user because if they put in the
    wrong username, nothing works. And some will do that.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Dec 10, 2006
    #1
    1. Advertising

  2. There is also an API to encrypt configuration settings..look at WebConfigurationManager
    in System.Web.Configuration.

    The SectionInformation class has a Protect and Unprotect method....


    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Hi;
    >
    > In our installer (we use WIX so the code has to be C++, not C#) we
    > need to call aspnet_regiis to encrypt the connection strings in
    > web.config. I have three questions about this:
    >
    > 1) What registry entry can we use to determine the location of
    > aspnet_regiis? As not everyone installs to C:, we can't assume the
    > location.
    >
    > 2) It strikes me that writing the unencrypted connection string to
    > web.config and then running aspnet_regiis leaves a security hole -
    > what if aspnet_regiis fails? Then it's sitting there in clear text. Is
    > there a way to write the connection string out already encrypted?
    >
    > 3) When we encrypt we need to pass the name of the ASP.NET user. I
    > have another post on this but figure it can't hurt to ask here too.
    > How do we get that from the system? I don't want to ask the user
    > because if they put in the wrong username, nothing works. And some
    > will do that.
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
     
    Dominick Baier, Dec 10, 2006
    #2
    1. Advertising

  3. Hi Dave,

    You can use GetCORSystemDirectory:

    #GetCORSystemDirectory Function
    http://msdn2.microsoft.com/en-us/library/k0588yw5.aspx
    Returns the installation directory of the common language runtime (CLR)
    that is loaded into the process. The installation directory is fully
    qualified, for example, "c:\windows\microsoft.net\framework\v1.0.3705".


    Regarding your 3rd question, could you please tell me which is the other
    related post? Thanks.

    Sincerely,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Dec 11, 2006
    #3
  4. Sure - it's posted at
    http://msdn.microsoft.com/newsgroup...d5d0&catlist=&dglist=&ptlist=&exp=&sloc=en-us

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Walter Wang [MSFT]" wrote:

    > Hi Dave,
    >
    > You can use GetCORSystemDirectory:
    >
    > #GetCORSystemDirectory Function
    > http://msdn2.microsoft.com/en-us/library/k0588yw5.aspx
    > Returns the installation directory of the common language runtime (CLR)
    > that is loaded into the process. The installation directory is fully
    > qualified, for example, "c:\windows\microsoft.net\framework\v1.0.3705".
    >
    >
    > Regarding your 3rd question, could you please tell me which is the other
    > related post? Thanks.
    >
    > Sincerely,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications. If you are using Outlook Express, please make sure you clear the
    > check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    > promptly.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
     
    David Thielen, Dec 11, 2006
    #4
  5. Dave,

    The URL is used to return the search list, I think you need to use the copy
    icon (at the right side of a print icon) to get the real URL of the post.
    (Also, here's an additional tip: when you've get the url, append another
    query string "&p=1" to the url will view the post thread in a flat style.)

    Anyway, I guess you're referring to this post:

    #How do I tell who my ASP.NET app is running as? in
    dotnet.framework.aspnet.security
    http://msdn.microsoft.com/newsgroups/managed/default.aspx?dg=microsoft.publi
    c.dotnet.framework.aspnet.security&tid=53b910d7-1801-4ac1-8759-f2c2d3864bf3&
    cat=en-us-msdnman-dotnet-frmwrk&lang=en&cr=US&sloc=en-us&m=1&p=1

    I'm afraid there's really no better way other than querying IIS metabase.



    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Dec 11, 2006
    #5
  6. Hi Dave,

    The GetCORSystemDirectory function is not a managed function, it's in
    mscoree.dll; you could call it from C++ code.

    There's no registry key to tell you which path is .NET 2.0 framework
    installed to, but you can use following registry key to detect if .NET 2.0
    framework is installed:

    =========

    #.NET Framework 2.0 Redistributable Package Reference (.NET Framework
    Deployment)
    http://msdn.microsoft.com/library/en-us/dnnetdep/html/ndp2_refer.asp?frame=t
    rue
    Detecting Installed .NET Framework 2.0
    The Setup.exe bootstrapper should use the following registry key to detect
    the .NET Framework version 2.0.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
    It then verifies the existence of the entry value:

    Install (DWORD value = 1)

    ==========


    Actually you could just hardcode the path to
    %windir%\Microsoft.NET\Framework\V2.0.50727; it's pretty safe, even for
    current 3.0 version:

    #Deploying Microsoft .NET Framework Version 3.0 ("Longhorn" Technical
    Articles)
    http://msdn.microsoft.com/library/en-us/dnlong/html/netfx30.asp?frame=true


    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Dec 14, 2006
    #6
  7. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\ Has keys for all the
    frameworks installed on the computer.

    For each framework key there's an entry called Path.

    I don't have 2.0 installed on my machine (I use 1.1.4322) but for 1.1, the
    full key path would be:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\1.1.4322.0\

    My "Path" entry has the value:
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

    aspnet_regiis.exe is in that folder.

    It has to be the same way for 2.0

    hope it helps

    Armando Canez
    --
    Not an MCSDE, MVP, MCDE, MSFT or WTF
    Not a single certification, besides my degree.
    I'm just an engineer with more than 14 years spent in design and
    programming.
    .... FYI




    "David Thielen" <> wrote in message
    news:...
    > Hi;
    >
    > Is there a registry entry that returns the .NET 2.0 installation
    > directory?
    > We need to call aspnet_regiis from our setup program. We've decided to not
    > write a .NET part to the installer - it's a pain to call it.
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
    >
    >
    > "Walter Wang [MSFT]" wrote:
    >
    >> Hi Dave,
    >>
    >> You can use GetCORSystemDirectory:
    >>
    >> #GetCORSystemDirectory Function
    >> http://msdn2.microsoft.com/en-us/library/k0588yw5.aspx
    >> Returns the installation directory of the common language runtime (CLR)
    >> that is loaded into the process. The installation directory is fully
    >> qualified, for example, "c:\windows\microsoft.net\framework\v1.0.3705".
    >>
    >>
    >> Regarding your 3rd question, could you please tell me which is the other
    >> related post? Thanks.
    >>
    >> Sincerely,
    >> Walter Wang (, remove 'online.')
    >> Microsoft Online Community Support
    >>
    >> ==================================================
    >> Get notification to my posts through email? Please refer to
    >> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    >> ications. If you are using Outlook Express, please make sure you clear
    >> the
    >> check box "Tools/Options/Read: Get 300 headers at a time" to see your
    >> reply
    >> promptly.
    >>
    >> Note: The MSDN Managed Newsgroup support offering is for non-urgent
    >> issues
    >> where an initial response from the community or a Microsoft Support
    >> Engineer within 1 business day is acceptable. Please note that each
    >> follow
    >> up response may take approximately 2 business days as the support
    >> professional working with you may need further investigation to reach the
    >> most efficient resolution. The offering is not appropriate for situations
    >> that require urgent, real-time or phone-based interactions or complex
    >> project analysis and dump analysis issues. Issues of this nature are best
    >> handled working with a dedicated Microsoft Support Engineer by contacting
    >> Microsoft Customer Support Services (CSS) at
    >> http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >> ==================================================
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >>
     
    Armando Canez, Dec 15, 2006
    #7
  8. Exactly what I wanted - thanks.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Armando Canez" wrote:

    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\ Has keys for all the
    > frameworks installed on the computer.
    >
    > For each framework key there's an entry called Path.
    >
    > I don't have 2.0 installed on my machine (I use 1.1.4322) but for 1.1, the
    > full key path would be:
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\1.1.4322.0\
    >
    > My "Path" entry has the value:
    > C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322
    >
    > aspnet_regiis.exe is in that folder.
    >
    > It has to be the same way for 2.0
    >
    > hope it helps
    >
    > Armando Canez
    > --
    > Not an MCSDE, MVP, MCDE, MSFT or WTF
    > Not a single certification, besides my degree.
    > I'm just an engineer with more than 14 years spent in design and
    > programming.
    > .... FYI
    >
    >
    >
    >
    > "David Thielen" <> wrote in message
    > news:...
    > > Hi;
    > >
    > > Is there a registry entry that returns the .NET 2.0 installation
    > > directory?
    > > We need to call aspnet_regiis from our setup program. We've decided to not
    > > write a .NET part to the installer - it's a pain to call it.
    > >
    > > --
    > > thanks - dave
    > > david_at_windward_dot_net
    > > http://www.windwardreports.com
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > >
    > >
    > >
    > > "Walter Wang [MSFT]" wrote:
    > >
    > >> Hi Dave,
    > >>
    > >> You can use GetCORSystemDirectory:
    > >>
    > >> #GetCORSystemDirectory Function
    > >> http://msdn2.microsoft.com/en-us/library/k0588yw5.aspx
    > >> Returns the installation directory of the common language runtime (CLR)
    > >> that is loaded into the process. The installation directory is fully
    > >> qualified, for example, "c:\windows\microsoft.net\framework\v1.0.3705".
    > >>
    > >>
    > >> Regarding your 3rd question, could you please tell me which is the other
    > >> related post? Thanks.
    > >>
    > >> Sincerely,
    > >> Walter Wang (, remove 'online.')
    > >> Microsoft Online Community Support
    > >>
    > >> ==================================================
    > >> Get notification to my posts through email? Please refer to
    > >> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > >> ications. If you are using Outlook Express, please make sure you clear
    > >> the
    > >> check box "Tools/Options/Read: Get 300 headers at a time" to see your
    > >> reply
    > >> promptly.
    > >>
    > >> Note: The MSDN Managed Newsgroup support offering is for non-urgent
    > >> issues
    > >> where an initial response from the community or a Microsoft Support
    > >> Engineer within 1 business day is acceptable. Please note that each
    > >> follow
    > >> up response may take approximately 2 business days as the support
    > >> professional working with you may need further investigation to reach the
    > >> most efficient resolution. The offering is not appropriate for situations
    > >> that require urgent, real-time or phone-based interactions or complex
    > >> project analysis and dump analysis issues. Issues of this nature are best
    > >> handled working with a dedicated Microsoft Support Engineer by contacting
    > >> Microsoft Customer Support Services (CSS) at
    > >> http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > >> ==================================================
    > >>
    > >> This posting is provided "AS IS" with no warranties, and confers no
    > >> rights.
    > >>
    > >>

    >
    >
    >
     
    David Thielen, Dec 15, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kyle Jedrusiak
    Replies:
    1
    Views:
    854
    Ken Cox [Microsoft MVP]
    Aug 19, 2003
  2. Jim Cheshire [MSFT]

    RE: aspnet_regiis problem

    Jim Cheshire [MSFT], Oct 14, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    449
    Jim Cheshire [MSFT]
    Oct 14, 2003
  3. George Durzi

    aspnet_regiis Q

    George Durzi, Nov 4, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    467
    George Durzi
    Nov 4, 2003
  4. Lasse Edsvik

    aspnet_regiis -i wont do the trick :(

    Lasse Edsvik, Feb 24, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    735
    Lasse Edsvik
    Feb 24, 2004
  5. Random

    aspnet_regiis not working

    Random, Mar 5, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,958
    Random
    Mar 5, 2004
Loading...

Share This Page