Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Web.config encryption in shared hosting scenario

Reply
Thread Tools

Web.config encryption in shared hosting scenario

 
 
Jazza
Guest
Posts: n/a
 
      05-18-2007
Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

I have been using the Personal Web Site Starter Kit and have successfully
uploaded the site to a shared hosting provider. I am connecting to the SQL
database via SQL authentication rather than Windows authentication, as I have
no control over the Windows user accounts. This means the SQL user name and
password are in clear text in the connection string in web.config.

Therefore, best practice dictates that I encrypt the web.config file to hide
the SQL login details. But the only way to encrypt a section of the config
file is to run aspnet_regiis.exe on the server, to which I have no access.

What are my options, if any, for protecting my config file? Does anyone know
of any resources on how to create a custom encryption scheme?

Regards,

Jazza
 
Reply With Quote
 
 
 
 
Adriano Labate
Guest
Posts: n/a
 
      06-13-2007
Hello Jazza,

I saw your post because I have a similar problem.

I just begin to search for a solution because the customer does not allow
access to the web server where my application has to be deployed. I would
like to encrypt the database connection string located in the web.config.

Did you found a solution to this problem? Thanks

Sincerly,
Adriano

"Jazza" <(E-Mail Removed)> a écrit dans le message de news:
http://www.velocityreviews.com/forums/(E-Mail Removed)...
> Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
>
> I have been using the Personal Web Site Starter Kit and have successfully
> uploaded the site to a shared hosting provider. I am connecting to the SQL
> database via SQL authentication rather than Windows authentication, as I
> have
> no control over the Windows user accounts. This means the SQL user name
> and
> password are in clear text in the connection string in web.config.
>
> Therefore, best practice dictates that I encrypt the web.config file to
> hide
> the SQL login details. But the only way to encrypt a section of the config
> file is to run aspnet_regiis.exe on the server, to which I have no access.
>
> What are my options, if any, for protecting my config file? Does anyone
> know
> of any resources on how to create a custom encryption scheme?
>
> Regards,
>
> Jazza



 
Reply With Quote
 
 
 
 
Jazza
Guest
Posts: n/a
 
      06-13-2007
Hi,

The answer I eventually got was that you can create a custom encryption
provider based on one of the built-in providers; you encryt the web.config
file using the custom scheme. The key used to encrypt the file is then saved
in a file that resides in a secure part of your web application.

You can then decrypt the web.config file using the same key.

I haven't implemented this as I decided that it was not worth the effort
involved.



"Adriano Labate" wrote:

> Hello Jazza,
>
> I saw your post because I have a similar problem.
>
> I just begin to search for a solution because the customer does not allow
> access to the web server where my application has to be deployed. I would
> like to encrypt the database connection string located in the web.config.
>
> Did you found a solution to this problem? Thanks
>
> Sincerly,
> Adriano
>
> "Jazza" <(E-Mail Removed)> a écrit dans le message de news:
> (E-Mail Removed)...
> > Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
> >
> > I have been using the Personal Web Site Starter Kit and have successfully
> > uploaded the site to a shared hosting provider. I am connecting to the SQL
> > database via SQL authentication rather than Windows authentication, as I
> > have
> > no control over the Windows user accounts. This means the SQL user name
> > and
> > password are in clear text in the connection string in web.config.
> >
> > Therefore, best practice dictates that I encrypt the web.config file to
> > hide
> > the SQL login details. But the only way to encrypt a section of the config
> > file is to run aspnet_regiis.exe on the server, to which I have no access.
> >
> > What are my options, if any, for protecting my config file? Does anyone
> > know
> > of any resources on how to create a custom encryption scheme?
> >
> > Regards,
> >
> > Jazza

>
>
>

 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      06-13-2007
You can do it programmatically.

Open the config using WebConfigurationManager, get the section using GetSection(),
and call Protect() on the SectionInformation you get back.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hello Jazza,
>
> I saw your post because I have a similar problem.
>
> I just begin to search for a solution because the customer does not
> allow access to the web server where my application has to be
> deployed. I would like to encrypt the database connection string
> located in the web.config.
>
> Did you found a solution to this problem? Thanks
>
> Sincerly,
> Adriano
> "Jazza" <(E-Mail Removed)> a écrit dans le message de
> news: (E-Mail Removed)...
>
>> Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.
>>
>> I have been using the Personal Web Site Starter Kit and have
>> successfully
>> uploaded the site to a shared hosting provider. I am connecting to
>> the SQL
>> database via SQL authentication rather than Windows authentication,
>> as I
>> have
>> no control over the Windows user accounts. This means the SQL user
>> name
>> and
>> password are in clear text in the connection string in web.config.
>> Therefore, best practice dictates that I encrypt the web.config file
>> to
>> hide
>> the SQL login details. But the only way to encrypt a section of the
>> config
>> file is to run aspnet_regiis.exe on the server, to which I have no
>> access.
>> What are my options, if any, for protecting my config file? Does
>> anyone
>> know
>> of any resources on how to create a custom encryption scheme?
>> Regards,
>>
>> Jazza
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! teo1991 Ruby 0 04-02-2009 01:50 PM
Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!! ufi02 ASP .Net 0 03-27-2009 07:49 PM
wireless encryption without pre-shared keys? Jason Cisco 1 09-09-2008 06:27 PM
Which hard drive encryption program has the strongest tested encryption & security? =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D=5B:::::::::::::::=BB?= Computer Security 6 02-20-2008 01:35 PM
Access denied. delegation scenario accessing to a shared resource in cluster jose.cortijo@gmail.com ASP .Net Security 1 08-12-2006 04:32 AM



Advertisments