 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2007Securing app.config / web.config
Hi all, I'm developing a web application with VS2005 and I've reached the point where I have do deploy it to some servers and thus secure sensible information stored in the web.config file ... you're right! connectionstrings!!! Well, I've tried aspnet_iisreg with RSA provider,and the public/ private key container and it's cool and it's transparent for the developer... but I think that there is something that I'm missing because if someone knows about aspnet_iisreg ... they can easily decrypt my web config at the deploy server and watch contents. There is an option when you export RSA keys to include only public keys, but it would only allow to encrypt and not to decrypt. What I really would like to know : if there is a way to secure data inside a web.config or app.config as well, so decryption is only available to the application itself?. I guess that the way must be to keep that keys safeley somewhere somehow ... does VS2005 provide a standard way to do that? Thanks in advance for any kind of help. Regards, Pablo. No - there is no way. If someone gets access to the server in a way that he can execute commands - there cannot be a protection. But executing commands on a server and viewing file contents remotely is a totally different thing. The former is _much_ harder. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Hi all, I'm developing a web application with VS2005 and I've reached > the point where I have do deploy it to some servers and thus secure [quoted text clipped - 19 lines] > Regards, > Pablo Thanks Dominick, So, as far as I understand the configuration protection is olny a good solution for web applications because it secures web.config contets for remote viewing attacks and it's assumed that direct access to the server in orde to run commands like aspnet_iisreg or accessing key containers is secure. If I'm switching to a desktop application ... do I'll have to secure app.config "all by myself"? Right. There is no such thing as client security. You will not be able to hide a connection string's password from an determined hacker. Either use integrated authentication or shield database details using a middle tier. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Thanks Dominick, > [quoted text clipped - 4 lines] > containers is secure. If I'm switching to a desktop application ... do > I'll have to secure app.config "all by myself"? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.