 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Distributed Applications / February 2004Re: Web.config or App.config
? This is just not true. NTFS has an encryption feature. You can tell ASP.NET to run your web application under a domain account. Issue that account a key (or put the account in a group and give the key to the group). Encrypt the file with the key you issued to the account/group and away you go. Never done it, but users can encypt files and ASP.NET runs as a user; so just hook it together. This has nothing to do with programming and will require a Windows 2000 domain with a certificate authority installed. Paul D. Murphy Microsoft MVP ASP.NET ------------------------------------------ nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/ Hi Damian, Put it that way: the app has to decrypt data so the key has to be accessible to application. There is no way to 100% hide the key since it has to be accessible. -- Miha Markic [MVP C#] - RightHand .NET consulting & software development miha at rthand com www.rthand.com "Damian" wrote in message news:O$OVPV$6DHA.1592@TK2MSFTNGP10.phx.gbl... > Hi Miha, > > Thanks for your help. I've read it before but this is not my problem. > I have > this problem. I know how to encrypr XML files using Aplication Block (CMAB). > I have implemented a Data Protection Provider to encrypt all my > configurations files but in the web.config file I have important information > as the encryptation key and so on. This is like ' Who was first, the > egg or > the chicken ??' I encrypt a XML file and I store the key or the path > in the > registry in the web.config but the web.config is not safe !!! I'm > clear ????? Perhaps Visual Studio has a configurtation setting in > which you set the web.config to be automaticaly encrypted. I don?t know ??? > > Anyway . Thanks for your help. > > "Miha Markic [MVP C#]" wrote in message > news:ePUyOB$6DHA.1040@TK2MSFTNGP10.phx.gbl... > > Hi Damian, > > > > You'll have to do some (de)crypting by yourself. > > See > > Security: Protect Private Data with the Cryptography Namespaces of > > the > .NET > > Framework > > http://tinyurl.com/3dwt7 > > > > -- > > Miha Markic [MVP C#] - RightHand .NET consulting & software > > development miha at rthand com www.rthand.com > > > > "Damian" wrote in message > > news:uysCU7%236DHA.360@TK2MSFTNGP12.phx.gbl... > > > This page works but this is not my problem. Thanks anyway. I know > > > how to > > > encrypr connections strings or XML files. My problem is that my > > encryptation > > > key and other personal information is set in my web.config or app.config > . > > I > > > wonder if Visual Studio has any tool or service to encrypt or > > > secure the > > > web.config or there is another way to do this in order to make > > > sure than > > > anyone is going to open or modify this file. Any advice? > > > > > > Thanks for your help. [microsoft.public.dotnet.distributed_apps] Ok, thanks Paul. There is some article you know in which explain how to do this ??? I know that this is not the best solution but it is a solution. I would like to read a bit more about it. Thanks for your help. Damian > ? > This is just not true. > > NTFS has an encryption feature. You can tell ASP.NET to run your web application under a domain account. Issue that account a key (or put the account in a group and give the key to the group). Encrypt the file with the key you issued to the account/group and away you go. > Never done it, but users can encypt files and ASP.NET runs as a user; so just hook it together. This has nothing to do with programming and will require a Windows 2000 domain with a certificate authority installed. > Paul D. Murphy > Microsoft MVP ASP.NET [quoted text clipped - 70 lines] > > [microsoft.public.dotnet.distributed_apps] Hi Paul, What is not true?  SignatureMiha Markic [MVP C#] - RightHand .NET consulting & software development miha at rthand com www.rthand.com > ? > This is just not true. > > NTFS has an encryption feature. You can tell ASP.NET to run your web application under a domain account. Issue that account a key (or put the account in a group and give the key to the group). Encrypt the file with the key you issued to the account/group and away you go. > Never done it, but users can encypt files and ASP.NET runs as a user; so just hook it together. This has nothing to do with programming and will require a Windows 2000 domain with a certificate authority installed. > Paul D. Murphy > Microsoft MVP ASP.NET [quoted text clipped - 5 lines] > Put it that way: the app has to decrypt data so the key has to be accessible to application. > There is no way to 100% hide the key since it has to be accessible. ? Sure. I can do this real fast. It's actually easier than I thought. 1: You will need to run your web application/windows service under a specific Windows 2000 or Windows 2003 domain account. This is well documented. 2: Right click on the dotConfig file and select properties. 3: Click on the 'Advanced' button on the 'General' tab. 4: Check the box that says 'Encrypt contents to secure data'. 5: Click OK. 6: Click on the 'Advanced' button again. 7: The 'Details' button will be active now. Click that. 8: Add the user account you created to run the Web Application/Service to the box. If you get an error here then you will need to import a certificate for the user. This is well documented. NTFS will handle the encryption for you. Paul nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/ Ok, thanks Paul. There is some article you know in which explain how to do this ??? I know that this is not the best solution but it is a solution. I would like to read a bit more about it. Thanks for your help. Damian "Paul D. Murphy" wrote in message news:uxfhkDx7DHA.360@TK2MSFTNGP12.phx.gbl... > ? > This is just not true. > > NTFS has an encryption feature. You can tell ASP.NET to run your web application under a domain account. Issue that account a key (or put the account in a group and give the key to the group). Encrypt the file with the key you issued to the account/group and away you go. > Never done it, but users can encypt files and ASP.NET runs as a user; > so just hook it together. This has nothing to do with programming and will require a Windows 2000 domain with a certificate authority installed. > Paul D. Murphy > Microsoft MVP ASP.NET [quoted text clipped - 4 lines] > > Put it that way: the app has to decrypt data so the key has to be accessible to application. > There is no way to 100% hide the key since it has to be accessible. > > -- > Miha Markic [MVP C#] - RightHand .NET consulting & software > development miha at rthand com www.rthand.com > "Damian" wrote in message news:O$OVPV$6DHA.1592@TK2MSFTNGP10.phx.gbl... > > Hi Miha, [quoted text clipped - 17 lines] > > which you set the web.config to be automaticaly encrypted. I don?t > > know ??? > > Anyway . Thanks for your help. > > [quoted text clipped - 36 lines] > > [microsoft.public.dotnet.distributed_apps] [microsoft.public.dotnet.distributed_apps] The part about not being able to totally secure a file to an application. NTFS and Active Directory will do it for you. Paul nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/<#CnsxVx7DHA.2676@TK2MSFTNGP10.phx.gbl> Hi Paul, What is not true? -- Miha Markic [MVP C#] - RightHand .NET consulting & software development miha at rthand com www.rthand.com "Paul D. Murphy" <pmurphy@nospam.servicentral.net.nospam> wrote in message news:uxfhkDx7DHA.360@TK2MSFTNGP12.phx.gbl... > ? > This is just not true. > > NTFS has an encryption feature. You can tell ASP.NET to run your web application under a domain account. Issue that account a key (or put the account in a group and give the key to the group). Encrypt the file with the key you issued to the account/group and away you go. > Never done it, but users can encypt files and ASP.NET runs as a user; so just hook it together. This has nothing to do with programming and will require a Windows 2000 domain with a certificate authority installed. > Paul D. Murphy > Microsoft MVP ASP.NET [quoted text clipped - 4 lines] > > Put it that way: the app has to decrypt data so the key has to be accessible to application. > There is no way to 100% hide the key since it has to be accessible. [microsoft.public.dotnet.distributed_apps] > The part about not being able to totally secure a file to an application. NTFS and Active Directory will do it for you. But then application is able to decrypt it, right? This implies that there is a way to obtain decrypted file... This article is a good one: http://tinyurl.com/26tey SignatureMiha Markic [MVP C#] - RightHand .NET consulting & development miha at rthand com www.rthand.com I understand the thread as follows: Damian Said: I wonder if Visual Studio has any tool or service to encrypt or secure the web.config or there is another way to do this in order to make sure than anyone is going to open or modify this file. Any advice? You Said: Put it that way: the app has to decrypt data so the key has to be accessible to application. There is no way to 100% hide the key since it has to be accessible. --- I took this to mean that there was no way to stop someone from opening up your configuration file and snatching all the semi-sensitive stuff used to lock down the really sensitive stuff. If I was wrong correct me, but it does seem illogical to lock the file out so nothing can open it up, right? I mean you would always want the service/person that needs to be able to read the file to be able to read the file. When you leverage Active Directory, NTFS and Certificate Authority you can secure the application and its files to the nth degree. With the CA in the process at any point in time should you feel the security is compromised you can revoke the key (thus disabling access to the file) and reissue new keys to the accounts/groups who need to access the file. Writing secure code is about leveraging all of the assets at you disposal. It's unfortunate that in the article you mention they do not recommend this technique as it is the only real method to totally secure your code from prying eyes. Everything you say in that statement is wrong. The key does not need to be accessible to the application. The key needs to be accessible to the user of the application. The CA and Active Directory make this happen. The app does not need to decrypt the file, NTFS and Active Directory can do that for you also. I'm not trying to bust your balls. My intent is to be helpful. I'd send you this directly but I can't find an email for you. Paul D. Murphy Microsoft MVP, ASP.NET ------------------- nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/ > The part about not being able to totally secure a file to an application. NTFS and Active Directory will do it for you. But then application is able to decrypt it, right? This implies that there is a way to obtain decrypted file... This article is a good one: http://tinyurl.com/26tey -- Miha Markic [MVP C#] - RightHand .NET consulting & development miha at rthand com www.rthand.com [microsoft.public.dotnet.distributed_apps] Hi Paul, > Everything you say in that statement is wrong. The key does not need to be accessible to the application. The key needs to be accessible to the user of the application. The CA and Active Directory make this happen. The app does not need to decrypt the file, NTFS and Active Directory can do that for you also. Yes, yes, but at the end the app handles decrypted file, it doesn't matter who decrypts the file or where key is stored. Key might be hidden but it is still available to the app in a way or another. If you look at the conclusion you'll find: "When it comes to protecting sensitive application data, there are no perfect solutions. None of the existing software technologies can *guarantee absolute security*. The goal is to pick the best, or "least worst" option that will work for your application and comply with your security requirements. Understanding how the various techniques and technologies provide data protection will help you assess vulnerabilities and prevent you from succumbing to a false sense of security." > I'm not trying to bust your balls. My intent is to be helpful. I'd send you this directly but I can't find an email for you. If you concatenate my e-mail and replace at with @... SignatureMiha Markic [MVP C#] - RightHand .NET consulting & development miha at rthand com www.rthand.com I've read the article "Safeguard Database Connection Strings and Other Sensitive Settings in Your Code". I've asked Alek Davis about this and he answer me the following : ...though that none of the books or articles on fundamentally difficult to solve problems (such as protection of encryption keys) will give you a comprehensive solution. If it could, it wouldn't be a problem any more. So your task is basically to understand what the problem is and be able to implement ("steal", buy, etc) best (or least worst) solution which would work in your situation (application, company, environment, etc). With respect to application .config files (app.config and Web.config), as I said before, there is not much you can do here. And if you do not put sensitive data in plain text there, you should not spend much time worrying about it... So, I'm really confused about all this !!! I get into the conclusion that there is not a safe solution. Thanks both Miha and Paul for all your help !!!! > Hi Paul, > [quoted text clipped - 21 lines] > > If you concatenate my e-mail and replace at with @... I will post a detailed article on how to do this on my blog sometime this week. Windows 2000 and Windows 2003 are C2 Complaint operating systems They are being used right now in Iraq and around the world to bring classified information into the battlefield. Securing your website/service is a breeze compared to tasks like that. Paul nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/<u3k$jE07DHA.1504@TK2MSFTNGP12.phx.gbl> I've read the article "Safeguard Database Connection Strings and Other Sensitive Settings in Your Code". I've asked Alek Davis about this and he answer me the following : ...though that none of the books or articles on fundamentally difficult to solve problems (such as protection of encryption keys) will give you a comprehensive solution. If it could, it wouldn't be a problem any more. So your task is basically to understand what the problem is and be able to implement ("steal", buy, etc) best (or least worst) solution which would work in your situation (application, company, environment, etc). With respect to application .config files (app.config and Web.config), as I said before, there is not much you can do here. And if you do not put sensitive data in plain text there, you should not spend much time worrying about it... So, I'm really confused about all this !!! I get into the conclusion that there is not a safe solution. Thanks both Miha and Paul for all your help !!!! "Miha Markic [MVP C#]" <miha at rthand com> wrote in message news:e1cB6uz7DHA.2300@TK2MSFTNGP10.phx.gbl... > Hi Paul, > > > Everything you say in that statement is wrong. The key does not need to be > accessible to the application. The key needs to be accessible to the user of > the application. The CA and Active Directory make this happen. The app does > not need to decrypt the file, NTFS and Active Directory can do that for you > also. > [quoted text clipped - 5 lines] > "When it comes to protecting sensitive application data, there are no > perfect solutions. None of the existing software technologies can *guarantee > absolute security*. The goal is to pick the best, or "least worst" option > that will work for your application and comply with your security > requirements. Understanding how the various techniques and technologies > provide data protection will help you assess vulnerabilities and prevent you > from succumbing to a false sense of security." > [quoted text clipped - 7 lines] > miha at rthand com > www.rthand.com [microsoft.public.dotnet.distributed_apps] OK, I'll be waiting for it. Thanks Paul > I will post a detailed article on how to do this on my blog sometime this week. Windows 2000 and Windows 2003 are C2 Complaint operating systems They are being used right now in Iraq and around the world to bring classified information into the battlefield. Securing your website/service is a breeze compared to tasks like that. > Paul nntp://msnews.microsoft.com/microsoft.public.dotnet.distributed_apps/<u3k$jE07DHA.1504@TK2MSFTNGP12.phx.gbl> > I've read the article "Safeguard Database > Connection Strings and Other Sensitive Settings in Your Code". [quoted text clipped - 63 lines] > > [microsoft.public.dotnet.distributed_apps] Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.