Encrypting the Web.Config configurations

The web.config is a file that is not accessible to the user of a web application via a browser. The dotnet framework shields this file from all kinds of external intrusion. However someone having access to the physical file can steal sensitive information.

This vulnerability can be overcome by using aspnet_regiis, an in-build ASP.Net tool.  Following these simple steps, sections of the web.config can be encrypted (and/or decrypted) to secure the configuration settings:

Step 1: Encrypt connection Strings in the web.config. This command uses RSAProtectedConfigurationProvider (uses TripleDES and RSA encryption) for encrypting sections of the web.config file. This command has to be executed in a Visual Studio 2005/2008 command prompt window at the location where the web.config resides:

aspnet_regiis -pef connectionStrings .

Step 2: Adding users to the ACL of the key containers using the –pa parameter. Give access to the ASP.NET user:

aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”

Step 3: Decrypt Connection Strings to clear text

aspnet_regiis -pdf connectionStrings .

The best part is that, the web application code does not have to change one bit after the encryption of web.config file. Following is a before and after view of the Connection Strings section of a web.config file:

Before:

<connectionStrings>
 <add name="MembershipConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\LOCALDB.MDF;Integrated Security=True;User Instance=True"
 providerName="System.Data.SqlClient" />
 </connectionStrings>

After:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
 <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
 xmlns="http://www.w3.org/2001/04/xmlenc#">
 <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
 <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
 <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
 <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
 <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
 <KeyName>Rsa Key</KeyName>
 </KeyInfo>
 <CipherData>
 <CipherValue>Qnp5eTaECH2wMwlRJjne61lKvEcRfZ3NDeCUhtw+wRKPmmY3Z3iZPBowIZwclU6gjdmY48/dhAEdUCLmzM5iEfHmPoyli+LMW5Yz1pQZM8I7iTFLLgeKux1CgUwP+bUtCpvP66Vu5wL5/veYSiR7kGzu/FgH+8vM6M3SYusHVGQ=</CipherValue>
 </CipherData>
 </EncryptedKey>
 </KeyInfo>
 <CipherData>
 <CipherValue>BPA8J8Vue27wc4COgJ2Pfk9XCe7umTNAKdTJ2WnsyIg/zpEpdL4H6zxE0b5DBFehWTARRAtxfJhNUz4mp+QZvBZ0Iod1utujiXP0+EiWZpY8v31s94lgFhE88cH/CoF/vZgHYyDfedBTtJtUyN1xpegxzHHy38IwDElXUhb3UHP3X3nRWPJ0AohYz8xZZRMzn8MEDJDWCoKErwtMpUbE08AEZHDQSU6ITSn5urNrgS+V2CYYwhY3t1VbA2b+mEQFxVin4bEvOl+O8HGl2kzPtq5rhN60FnbxjPyHwCeHvl8JOzjk/ND8go/w49N61eGrGOH2xFNFPw2mhGVkJD5Lm8nn7xeo30YSS+Ct9uGzLfs=</CipherValue>
 </CipherData>
 </EncryptedData>
 </connectionStrings></pre>

Tip: Here is how to secure appsettings

Encrypt appSettings: aspnet_regiis -pef sppSettings .

Decrypt appSettings: aspnet_regiis -pdf sppSettings .

References:
1. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
2. Encrypting configuration files using protected configuration

Visual Studio 2008 – default browser

Here is a quick way to change the default browser in Visual Studio 2008 for debugging a ASP.Net web project.

1. In your web project double click on a .aspx page in the Solution Explorer.

2. Click on “File” Menu –> “Browse With…” option to display the available browsers on your computer. (This option will not show up in the File menu unless your content pane has a .aspx page loaded)

3. Select the browser you want to make default and press the “Set as default” button followed by “Esc” key press.

Have fun coding …

SQL Server: Data dictionary

Data dictionary creator [1] is a simple-to-use free tool that helped me immensely with a SQL Server database documentation. It stores all the information in Extended Properties, so it’s easier to keep the documentation in sync with the database as it changes. I was able to generate a data dictionary with a couple of of mouse clicks after I have entered the connection string. The dictionary can be exported to various formats: Excel, XML, Word and HTML. Click on the reference [1] for a step by step tutorial on the usage of this utility. (The current version does not seem to support SQL Server 2008). This can be download from codeplex.

Reference:
1. Data Dictionary Creator

Ping Pong Tournament

I have participated in the first annual Ping Pong Tournament at work. After a grueling 8 rounds, I finally had my hands on the coveted trophy. Well I have something new that I can brag about This tourney has been going on for about 3 weeks now and I have thoroughly enjoyed participating in it. The best part is that I got to meet/know a lot of people (who were working on other projects) and was also able to make a few friends as well.

Sql Server: How to find the current version?

One of the following two SQL queries could be used to determine the current version of the Microsoft SQL Server [2] that you are working on. I like the first method, for the simplicity of its usage.

SELECT @@version

--OUTPUT
--Microsoft SQL Server 2005 - 9.00.XXXX.00
--Nov XX 200X 16:17:31
--Copyright (c) 1988-2005 Microsoft Corporation
--XXXXXX Edition on Windows NT 5.2 (Build XXXX: Service Pack X)

-------
--OR--
-------

SELECT SERVERPROPERTY('productversion') productversion,
 SERVERPROPERTY ('productlevel') Product Level,
 SERVERPROPERTY ('edition')

--OUTPUT
--Product Version Product Level  Edition
----------------- -------------- --------------
--9.00.XXXX.00    SPX            XXXXX Edition

Following are the product versions and their corresponding names.

8.0 stands for SQL Server 2000
9.0 stands for SQL Server 2005
10.0 stands for SQL Server 2008

Tip: You can run select @@servername in management studio query editor to find the SQL Server name.

References:

1. Microsoft support
2. Microsoft SQL Server