Encrypting the Web.Config configurations

The web.config is a file that is not accessible to the user of a web application via a browser. The dotnet framework shields this file from all kinds of external intrusion. However someone having access to the physical file can steal sensitive information.

This vulnerability can be overcome by using aspnet_regiis, an in-build ASP.Net tool.  Following these simple steps, sections of the web.config can be encrypted (and/or decrypted) to secure the configuration settings:

Step 1: Encrypt connection Strings in the web.config. This command uses RSAProtectedConfigurationProvider (uses TripleDES and RSA encryption) for encrypting sections of the web.config file. This command has to be executed in a Visual Studio 2005/2008 command prompt window at the location where the web.config resides:

aspnet_regiis -pef connectionStrings .

Step 2: Adding users to the ACL of the key containers using the –pa parameter. Give access to the ASP.NET user:

aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”

Step 3: Decrypt Connection Strings to clear text

aspnet_regiis -pdf connectionStrings .

The best part is that, the web application code does not have to change one bit after the encryption of web.config file. Following is a before and after view of the Connection Strings section of a web.config file:

Before:

<connectionStrings>
 <add name="MembershipConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\LOCALDB.MDF;Integrated Security=True;User Instance=True"
 providerName="System.Data.SqlClient" />
 </connectionStrings>

After:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
 <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
 xmlns="http://www.w3.org/2001/04/xmlenc#">
 <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
 <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
 <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
 <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
 <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
 <KeyName>Rsa Key</KeyName>
 </KeyInfo>
 <CipherData>
 <CipherValue>Qnp5eTaECH2wMwlRJjne61lKvEcRfZ3NDeCUhtw+wRKPmmY3Z3iZPBowIZwclU6gjdmY48/dhAEdUCLmzM5iEfHmPoyli+LMW5Yz1pQZM8I7iTFLLgeKux1CgUwP+bUtCpvP66Vu5wL5/veYSiR7kGzu/FgH+8vM6M3SYusHVGQ=</CipherValue>
 </CipherData>
 </EncryptedKey>
 </KeyInfo>
 <CipherData>
 <CipherValue>BPA8J8Vue27wc4COgJ2Pfk9XCe7umTNAKdTJ2WnsyIg/zpEpdL4H6zxE0b5DBFehWTARRAtxfJhNUz4mp+QZvBZ0Iod1utujiXP0+EiWZpY8v31s94lgFhE88cH/CoF/vZgHYyDfedBTtJtUyN1xpegxzHHy38IwDElXUhb3UHP3X3nRWPJ0AohYz8xZZRMzn8MEDJDWCoKErwtMpUbE08AEZHDQSU6ITSn5urNrgS+V2CYYwhY3t1VbA2b+mEQFxVin4bEvOl+O8HGl2kzPtq5rhN60FnbxjPyHwCeHvl8JOzjk/ND8go/w49N61eGrGOH2xFNFPw2mhGVkJD5Lm8nn7xeo30YSS+Ct9uGzLfs=</CipherValue>
 </CipherData>
 </EncryptedData>
 </connectionStrings></pre>

Tip: Here is how to secure appsettings

Encrypt appSettings: aspnet_regiis -pef sppSettings .

Decrypt appSettings: aspnet_regiis -pdf sppSettings .

References:
1. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
2. Encrypting configuration files using protected configuration

.NET Framework

The following illustration shows the relationship of the common language runtime and the class library to your applications and to the overall system. The illustration also shows how managed code operates within a larger architecture.

Points of interest

1. The common language runtime manages memory, thread execution, code execution, code safety verification, compilation, and other system services. These features are intrinsic to the managed code that runs on the common language runtime.

2. The .NET Framework class library is a collection of reusable types that tightly integrate with the common language runtime. The class library is object oriented, providing types from which your own managed code can derive functionality. This not only makes the .NET Framework types easy to use, but also reduces the time associated with learning new features of the .NET Framework. In addition, third-party components can integrate seamlessly with classes in the .NET Framework.

Note: This article in its entirety has been borrowed from certain parts of [1]. I did not want to spoil the essence of the original article.

References:
1. .NET Framework Conceptual Overview

Factoring the Web.Config

Web.Config is a XML document file in a ASP.Net application that is used to store configuration settings related to the web application. The web.config file contains information about database configuration, control module loading, security configuration, session state configuration, Custom configuration and compilation settings. Each web application in ASP.Net inherits their base web.config from the machine’s web.config located in %SystemRoot%\Microsoft.Net\Framework\v#.#.#.#\CONFIG. The applications own web.config is physically located at the root of the web application and sub directories inherit the configuration setting unless they have their own web.config with in the respective sub-directories.

Usually as the application size grows, so does the number of settings and the size of the web.config file. The settings in config file become so many that it will be pretty tough to manage them and also hard to read. There is one less known optional string attribute called “ConfigSource” that specifies the name of the include file in which the associated configuration section is defined, if such a file exists. The configsource attribute was introduced in .NET Framework 2.0 to support external configuration files. This attribute can be added to any configuration section to specify a an external file for that section. Following is an example of a before and after scenario for using the configsource attribute. This example demonstrates how the database connection settings can be separated into an external config file:

Before:

<configuration>
    <configSections>
        <section name="ConnectionStrings" restartOnExternalChanges="false"/>
    </configSections>
    <connectionStrings>
        <add name=“Inventory” connectionString=“Database=MYINVENTORYDB;Server=<SERVER-NAME>;User ID=<USERNAME>;Password=<PASSWORD>;Trusted_Connection=False;” providerName=“System.Data.SqlClient”/>
    </connectionStrings>
.
.
<configuration>

After:

Following are two sections from the web.config and the dbsetting.config files. The dbsettings.config file has the database connection configuration information.

web.config

<configuration>
    <configSections>
        <section name="ConnectionStrings" restartOnExternalChanges="false"/>
    </configSections>
    <connectionStrings configSource="dbsettings.config">

      </connectionStrings>
.
.
<configuration>

dbsettings.config

<configuration>
    <connectionStrings>
        <add name=“Inventory” connectionString=“Database=MYINVENTORYDB;Server=<SERVER-NAME>;User ID=<USERNAME>;Password=<PASSWORD>;Trusted_Connection=False;” providerName=“System.Data.SqlClient”/>
    </connectionStrings>
</configuration>

Example 2

Here is another example of separating the database configuration settings into multiple files. These settings are for Enterprise Library External file configuration source for Application blocks. Following are the sections of the web.config and the entlib.config files into which the database Connection string configuration has been separated:

Web.Config

<enterpriseLibrary.ConfigurationSource selectedSource=“File Configuration Source”>
    <sources>
        <add name=“File Configuration Source” type=“Microsoft.Practices.EnterpriseLibrary.Common.Configuration.FileConfigurationSource, Microsoft.Practices.EnterpriseLibrary.Common, Version=X.X.X.X, Culture=neutral, PublicKeyToken=null” filePath=“entlib.config”/>
    </sources>
</enterpriseLibrary.ConfigurationSource>

entlib.config

<configuration>
    <connectionStrings>
        <add name=“Inventory”connectionString=“Database=MYINVENTORYDB;Server=<SERVER-NAME>;User  ID=<USERNAME>;Password=<PASSWORD>;Trusted_Connection=False;” providerName=“System.Data.SqlClient”/>
    </connectionStrings>
</configuration>

The end result is that this feature of web.config file has been very useful to me so far in keeping the config files neat and simple to read. Also note that the restartOnExternalChanges property is set to false in the “section element for config sections” so that the application does not restart when a change to the external config file is made.

Tip: ConnectionStrings.com has nice list of connection strings for various databases.

References:

1. MSDN Online

http://www.nikhilk.net/Entry.aspx?id=158

DotNet Reference Poster

Thanks for still being in tune with my blog. It has been a while since my last post. I was in the midst of a change in Project/Client. I have for sure learnt a little bit in the last few months and will be updating my blog with my experiences soon. In the meanwhile here is something that is very nice to have for all Dotnet developers: The Dotnet 3.5 Reference poster [1]. This poster has a listing of commonly Used Types and Namespaces of .Net Framework 3.5

Note: I have borrowed this image from the blog titled “Fun with .Net and SQL Server” [2].

The .NET Framework 3.5 Common Namespaces and Types Poster is downloadable as XPS or PDF format. There is also an XPS format file which prints over 16 letter or A4 pages for easy printing. The following diagram [3] shows the additive nature of the .Net framework and clearly states the new features of each version.

Reference:

[1] MSDN online
[2] Fun with .NET and SQL Server
[3]Announcing: The .NET Framework 3.5 Commonly Used Types and Namespaces poster – Paul Andrew