Web.config encryption in shared hosting scenario

Discussion in 'ASP .Net Security' started by Jazza, May 18, 2007.

  1. Jazza

    Jazza Guest

    Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

    I have been using the Personal Web Site Starter Kit and have successfully
    uploaded the site to a shared hosting provider. I am connecting to the SQL
    database via SQL authentication rather than Windows authentication, as I have
    no control over the Windows user accounts. This means the SQL user name and
    password are in clear text in the connection string in web.config.

    Therefore, best practice dictates that I encrypt the web.config file to hide
    the SQL login details. But the only way to encrypt a section of the config
    file is to run aspnet_regiis.exe on the server, to which I have no access.

    What are my options, if any, for protecting my config file? Does anyone know
    of any resources on how to create a custom encryption scheme?

    Regards,

    Jazza
     
    Jazza, May 18, 2007
    #1
    1. Advertising

  2. Hello Jazza,

    I saw your post because I have a similar problem.

    I just begin to search for a solution because the customer does not allow
    access to the web server where my application has to be deployed. I would
    like to encrypt the database connection string located in the web.config.

    Did you found a solution to this problem? Thanks

    Sincerly,
    Adriano

    "Jazza" <> a écrit dans le message de news:
    ...
    > Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
    >
    > I have been using the Personal Web Site Starter Kit and have successfully
    > uploaded the site to a shared hosting provider. I am connecting to the SQL
    > database via SQL authentication rather than Windows authentication, as I
    > have
    > no control over the Windows user accounts. This means the SQL user name
    > and
    > password are in clear text in the connection string in web.config.
    >
    > Therefore, best practice dictates that I encrypt the web.config file to
    > hide
    > the SQL login details. But the only way to encrypt a section of the config
    > file is to run aspnet_regiis.exe on the server, to which I have no access.
    >
    > What are my options, if any, for protecting my config file? Does anyone
    > know
    > of any resources on how to create a custom encryption scheme?
    >
    > Regards,
    >
    > Jazza
     
    Adriano Labate, Jun 13, 2007
    #2
    1. Advertising

  3. Jazza

    Jazza Guest

    Hi,

    The answer I eventually got was that you can create a custom encryption
    provider based on one of the built-in providers; you encryt the web.config
    file using the custom scheme. The key used to encrypt the file is then saved
    in a file that resides in a secure part of your web application.

    You can then decrypt the web.config file using the same key.

    I haven't implemented this as I decided that it was not worth the effort
    involved.



    "Adriano Labate" wrote:

    > Hello Jazza,
    >
    > I saw your post because I have a similar problem.
    >
    > I just begin to search for a solution because the customer does not allow
    > access to the web server where my application has to be deployed. I would
    > like to encrypt the database connection string located in the web.config.
    >
    > Did you found a solution to this problem? Thanks
    >
    > Sincerly,
    > Adriano
    >
    > "Jazza" <> a écrit dans le message de news:
    > ...
    > > Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
    > >
    > > I have been using the Personal Web Site Starter Kit and have successfully
    > > uploaded the site to a shared hosting provider. I am connecting to the SQL
    > > database via SQL authentication rather than Windows authentication, as I
    > > have
    > > no control over the Windows user accounts. This means the SQL user name
    > > and
    > > password are in clear text in the connection string in web.config.
    > >
    > > Therefore, best practice dictates that I encrypt the web.config file to
    > > hide
    > > the SQL login details. But the only way to encrypt a section of the config
    > > file is to run aspnet_regiis.exe on the server, to which I have no access.
    > >
    > > What are my options, if any, for protecting my config file? Does anyone
    > > know
    > > of any resources on how to create a custom encryption scheme?
    > >
    > > Regards,
    > >
    > > Jazza

    >
    >
    >
     
    Jazza, Jun 13, 2007
    #3
  4. You can do it programmatically.

    Open the config using WebConfigurationManager, get the section using GetSection(),
    and call Protect() on the SectionInformation you get back.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hello Jazza,
    >
    > I saw your post because I have a similar problem.
    >
    > I just begin to search for a solution because the customer does not
    > allow access to the web server where my application has to be
    > deployed. I would like to encrypt the database connection string
    > located in the web.config.
    >
    > Did you found a solution to this problem? Thanks
    >
    > Sincerly,
    > Adriano
    > "Jazza" <> a écrit dans le message de
    > news: ...
    >
    >> Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
    >>
    >> I have been using the Personal Web Site Starter Kit and have
    >> successfully
    >> uploaded the site to a shared hosting provider. I am connecting to
    >> the SQL
    >> database via SQL authentication rather than Windows authentication,
    >> as I
    >> have
    >> no control over the Windows user accounts. This means the SQL user
    >> name
    >> and
    >> password are in clear text in the connection string in web.config.
    >> Therefore, best practice dictates that I encrypt the web.config file
    >> to
    >> hide
    >> the SQL login details. But the only way to encrypt a section of the
    >> config
    >> file is to run aspnet_regiis.exe on the server, to which I have no
    >> access.
    >> What are my options, if any, for protecting my config file? Does
    >> anyone
    >> know
    >> of any resources on how to create a custom encryption scheme?
    >> Regards,
    >>
    >> Jazza
    >>
     
    Dominick Baier, Jun 13, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sam-I-Am
    Replies:
    3
    Views:
    7,455
    Steven Cheng[MSFT]
    Jul 21, 2004
  2. vikramp
    Replies:
    0
    Views:
    873
    vikramp
    Oct 31, 2006
  3. Replies:
    0
    Views:
    664
  4. Replies:
    1
    Views:
    258
    Joe Kaplan \(MVP - ADSI\)
    Aug 12, 2006
  5. teo1991
    Replies:
    0
    Views:
    639
    teo1991
    Apr 2, 2009
Loading...

Share This Page