Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Web.config encryption in shared hosting scenario (http://www.velocityreviews.com/forums/t769469-web-config-encryption-in-shared-hosting-scenario.html)

Jazza 05-18-2007 08:31 AM

Web.config encryption in shared hosting scenario
 
Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

I have been using the Personal Web Site Starter Kit and have successfully
uploaded the site to a shared hosting provider. I am connecting to the SQL
database via SQL authentication rather than Windows authentication, as I have
no control over the Windows user accounts. This means the SQL user name and
password are in clear text in the connection string in web.config.

Therefore, best practice dictates that I encrypt the web.config file to hide
the SQL login details. But the only way to encrypt a section of the config
file is to run aspnet_regiis.exe on the server, to which I have no access.

What are my options, if any, for protecting my config file? Does anyone know
of any resources on how to create a custom encryption scheme?

Regards,

Jazza

Adriano Labate 06-13-2007 12:49 PM

Re: Web.config encryption in shared hosting scenario
 
Hello Jazza,

I saw your post because I have a similar problem.

I just begin to search for a solution because the customer does not allow
access to the web server where my application has to be deployed. I would
like to encrypt the database connection string located in the web.config.

Did you found a solution to this problem? Thanks

Sincerly,
Adriano

"Jazza" <Jazza@discussions.microsoft.com> a écrit dans le message de news:
5D099CD8-E572-41F5-A45B-3FDA3A3A1A3B@microsoft.com...
> Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
>
> I have been using the Personal Web Site Starter Kit and have successfully
> uploaded the site to a shared hosting provider. I am connecting to the SQL
> database via SQL authentication rather than Windows authentication, as I
> have
> no control over the Windows user accounts. This means the SQL user name
> and
> password are in clear text in the connection string in web.config.
>
> Therefore, best practice dictates that I encrypt the web.config file to
> hide
> the SQL login details. But the only way to encrypt a section of the config
> file is to run aspnet_regiis.exe on the server, to which I have no access.
>
> What are my options, if any, for protecting my config file? Does anyone
> know
> of any resources on how to create a custom encryption scheme?
>
> Regards,
>
> Jazza




Jazza 06-13-2007 02:18 PM

Re: Web.config encryption in shared hosting scenario
 
Hi,

The answer I eventually got was that you can create a custom encryption
provider based on one of the built-in providers; you encryt the web.config
file using the custom scheme. The key used to encrypt the file is then saved
in a file that resides in a secure part of your web application.

You can then decrypt the web.config file using the same key.

I haven't implemented this as I decided that it was not worth the effort
involved.



"Adriano Labate" wrote:

> Hello Jazza,
>
> I saw your post because I have a similar problem.
>
> I just begin to search for a solution because the customer does not allow
> access to the web server where my application has to be deployed. I would
> like to encrypt the database connection string located in the web.config.
>
> Did you found a solution to this problem? Thanks
>
> Sincerly,
> Adriano
>
> "Jazza" <Jazza@discussions.microsoft.com> a écrit dans le message de news:
> 5D099CD8-E572-41F5-A45B-3FDA3A3A1A3B@microsoft.com...
> > Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
> >
> > I have been using the Personal Web Site Starter Kit and have successfully
> > uploaded the site to a shared hosting provider. I am connecting to the SQL
> > database via SQL authentication rather than Windows authentication, as I
> > have
> > no control over the Windows user accounts. This means the SQL user name
> > and
> > password are in clear text in the connection string in web.config.
> >
> > Therefore, best practice dictates that I encrypt the web.config file to
> > hide
> > the SQL login details. But the only way to encrypt a section of the config
> > file is to run aspnet_regiis.exe on the server, to which I have no access.
> >
> > What are my options, if any, for protecting my config file? Does anyone
> > know
> > of any resources on how to create a custom encryption scheme?
> >
> > Regards,
> >
> > Jazza

>
>
>


Dominick Baier 06-13-2007 02:55 PM

Re: Web.config encryption in shared hosting scenario
 
You can do it programmatically.

Open the config using WebConfigurationManager, get the section using GetSection(),
and call Protect() on the SectionInformation you get back.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hello Jazza,
>
> I saw your post because I have a similar problem.
>
> I just begin to search for a solution because the customer does not
> allow access to the web server where my application has to be
> deployed. I would like to encrypt the database connection string
> located in the web.config.
>
> Did you found a solution to this problem? Thanks
>
> Sincerly,
> Adriano
> "Jazza" <Jazza@discussions.microsoft.com> a écrit dans le message de
> news: 5D099CD8-E572-41F5-A45B-3FDA3A3A1A3B@microsoft.com...
>
>> Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
>>
>> I have been using the Personal Web Site Starter Kit and have
>> successfully
>> uploaded the site to a shared hosting provider. I am connecting to
>> the SQL
>> database via SQL authentication rather than Windows authentication,
>> as I
>> have
>> no control over the Windows user accounts. This means the SQL user
>> name
>> and
>> password are in clear text in the connection string in web.config.
>> Therefore, best practice dictates that I encrypt the web.config file
>> to
>> hide
>> the SQL login details. But the only way to encrypt a section of the
>> config
>> file is to run aspnet_regiis.exe on the server, to which I have no
>> access.
>> What are my options, if any, for protecting my config file? Does
>> anyone
>> know
>> of any resources on how to create a custom encryption scheme?
>> Regards,
>>
>> Jazza
>>





All times are GMT. The time now is 11:16 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.