Encrypting Connection String in web.config
How can we en开发者_Go百科crypt the connection string section in web.config file?
To save having to visit external links, in C:\Windows\Microsoft.NET\Framework\v4.0.30319 (for .NET 4 / 4.5)
aspnet_regiis.exe -pe "connectionStrings" -app "/YourWebSiteName" -prov "DataProtectionConfigurationProvider"
To decrypt connectionStrings section using this tool, you can specify following command in aspnet_iisreg.exe tool.
aspnet_regiis.exe -pd "connectionStrings" -app "/YouWebSiteName"
Rahul, converting a string from ASCII to base64 string isn't an encryption, which is what your first link suggests. We can easily convert base64 to ASCII.
Using configsection.protectSection() with an RSA key is a proper encryption that is available for sections of the Web.config file.
Check this link: http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
Please note, that we can not encrypt Web.config file in a shared hosting environment where Trust level is set to medium trust.
use aspnet_regiis.exe http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx
Run this in Command : aspnet_regiis.exe -pef "connectionStrings" "pathToWebConfig"
or , if you want this to run programatically you can create a Process :
string fileName = @"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe";
if (8 == IntPtr.Size
|| (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432"))))
fileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe";
string arguments = $"-pef \"connectionStrings\" \"{application.Path}\"";
using (Process process = new Process())
{
process.EnableRaisingEvents = true;
process.StartInfo = new ProcessStartInfo
{
FileName = exeName,
Arguments = arguments,
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true,
CreateNoWindow = true
};
process.Start();
processOutput.Output = process.StandardOutput.ReadToEnd();
bool exited = process.WaitForExit(timeoutMilliseconds);
if (exited)
{
processOutput.ExitCode = process.ExitCode;
}
}
Encryption is useful to give security to the application. Please find the following steps to encrypt web.config.
- Open Command Prompt with Administrator privileges
- At the Command Prompt, enter
- cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
- In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
- ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig
I have use some other thing for more security. In my Web.config i have added following code.
<httpProtocol>
<customHeaders>
<add name="x-Frame-Option" value="Deny or SEMEORGIN" />
<remove name="Server" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
I have created a utility in windows forms with source code.
Download file from here (its whole project, you can run it from bin folder): File
- Run the executable file from debug folder (Run As Administrator)
- Browse the config file
- You are done
Note: Check if this folder exists in your computer:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
Here is a sneak of what file has Check Gist Here
ASPNET_REGIIS, as said by others.
But remember when considering strength and requirements of encoding, RSA is not fool-proof, not even very strong. Breaking it takes minutes.
My case is, I must connect to one of the SQL servers using SQL server authentication, which in turn requires to write the password in plain text in the connection string.
Plain text passwords in files are just wrong. Better RSA encoded. So when someone looks at it and does not really want to break into it, he does not see the password.
However, it is on a server only accessible from within the domain, which limits the possible attackers to less than 100, anyone else would have to break in the domain first, and if that happens connecting to a test environment DB server is the least of the problems. Also, out of those 100 people, only about 5 have the admin privileges, which give the right to cleanly decrypt the file using ASPNET_REGIIS.
You have to trust those anyway. For all the others, the value of data they could get is much less than the work they would have to put in getting it. It is not worth the risk of ceasing to be employees either.
Also, they mostly don't even know about this thing being possible to break into. And now, even if they somehow find out, they don't get a plain text password without any work.
精彩评论