Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (12)

Enhanced and Secure Connection Strings in Web.Config

By , 25 Jan 2003
 

Introduction

In developing ASP.NET applications, we make heavy use of Web.Config to store and retrieve database connection strings. But we need to be aware of the fact that Web.Config is a simple XML text file and its contents are readable by any user having access to the the webserver's file system. Albeit the fact that accesses like http://localhost/deepak/web.config etc. are halted by the webserver with a message 'The type of page is not served', anybody with console access to the system can still open and read the database connection strings, which might contain the password to the database in an unencrypted manner.

Simple encryption

After a great deal of search in MSDN and other sites, I found a simple way to encrypt strings using a minimum of 8 character string (8 characters should be okay since even MSN Hotmail recommends a minimum of 8 character passwords for all accounts). Sections have been taken from ASPAlliance example but the method has been kept as a static method for the simple reason that you need not create object for every encryption and decryption strategy.

The attached example makes use of DESCryptoServiceProvider that is available in System.Security.Cryptography namespace.

Enhancement

For example sake, I have given both the key and the encrypted string in web.config. But for security reasons, it would be advisable to keep the key elsewhere in the file system and read the key dynamically from this file from the specified location. Additional care has to be taken that the place where we store the key is accessible only to System Administrators and other authorized personnel. With this strategy and trick in place, the database connection string could be made relatively safe for a particular web application.

How to use the example

Include the following two lines in web.config:

         <add key="cKey" value="LavanyaDeepak"/>
         <add key="cDb" value="C0AHny7FDFewTPE7eTp5RA=="/>

To any of your test applications, unzip the files in the archive (Cryptography.cs and Test.Aspx and Test.Cs). Include them in a project in Visual Studio .NET. Build the application and run test.aspx from the web browser.

Conclusion

I hope the above article would be very useful for .NET developers worldwide to make effective and secure use of database connection strings that are put in Web.Config. Many thanks to developers whose ideas and pieces of code have been helping me out in drafting these static methods.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Vasudevan Deepak Kumar
Software Developer
United States United States
Member
Vasudevan Deepak Kumar is from Chennai, India who has been in the programming career since 1994, when he was 15 years old. He has his Bachelors of Engineering (in Computer Science and Engineering) from Vellore Engineering College. He also has a MBA in Systems from Alagappa University, Karaikudi, India.
He started his programming career with GWBasic and then in his college was involved in developing programs in Fortran, Cobol, C++. He has been developing in Microsoft technologies like ASP, SQLServer 2000.
His current focus is ASP.NET, C#, VB.NET, PHP, SQL Server and MySQL. In his past-time, he listens to polite Carnatic Music. But the big question is that with his current Todolist backlog, does he get some past time?

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First PrevNext
Generallogin.aspxmemberAjay Kale New27 Sep '10 - 0:06 
Hi,
 
in my application - when I traverse for sometime to various tabs - suddenly login,aspx page is displayed.
When I checked logs - but no debugger statement printed there..and no javascript alerts are seen.
 
So I verified web.config for timeout properties but couldnot find anything to be changed
 
&lt;authentication mode="Forms"&gt;
&lt;forms loginUrl="login.aspx" protection="All" timeout="600" slidingExpiration="true" &gt;
&lt;/forms&gt;
&lt;/authentication&gt;
 
and
 
&lt;sessionState mode="InProc" timeout="600" /&gt;
 

Thanks and regards,
- Ajay Kale
Sign In·View Thread·Permalink
GeneralDeveloper Caste Systemmembershitba13 Jan '06 - 5:12 
I always love it when developers who have full control over their web servers(Brahmins) are hyper-critical of us poor losers in the shared hosting realm(Untouchables). We CAN'T use a trusted connection to the database. We CAN'T set NTFS permissions of ANY kind. We can't even store an encryption key on a secure part of the machine because we don't have access to that!
 
As a result, we're left with options of code obfuscation, and weak encryption/decryption processes. Far from perfect, but what do you want for $20/month? Laugh | :laugh:

 

 
Mikeymac
Sign In·View Thread·Permalink
GeneralThe encryption codememberdurayakar12 Nov '03 - 16:41 
If you have deployed the encrypt/decrypt function/component on the web server, the person who hs access to your web site folder can add a very simple aspx page and/or piece of code to your web site and call the very same function to decrypt the connection string...
 
I also do not see any increased "security" by encrypting the connection string if the decryption code is on the same hosting environment... If the person has access to the web site folder, he has full access to the compiled and ready-to-use decryption code as well...
 
I also do not see any further security in the user access stuff... If the suspect has access to your web site folder, he will be able to run his code under your asp.net account, in other words under the very same identity that your web site code runs under...
 
So, this conection string will remain to be vulnerable to be compromised by the web site admin that has access to your web site folder directly.
 
Regards..
 
Duray AKAR
 
f=m.a
Sign In·View Thread·Permalink
Generalhmm ...memberkrumpo28 Jan '03 - 0:52 
Yet another example of "security" by obscurity ... Protecting your key file is exactly the same problem as protecting web.config itself so cryptography is useless here and you can keep that connection string in plain text.
 
Suggestions: either keep safe your web.config or deploy database provided (and dependant) way of authenticating ASP.NET worker process - at least both Oracle and MS SQL Server have that ...
 
PS: maybe just I don't see the light Smile | :)
Sign In·View Thread·Permalink
GeneralRe: hmm ...memberEnki4230 Jan '03 - 14:10 
Another problem with it is that it decreases performace of the app since then it must decrypt the string each time its needed.
 
Just use intergrated login on SQL server and give logon access to the user the asp page is running under.
 
So basically what krumpo said....
Sign In·View Thread·Permalink
GeneralRe: hmm ...memberDeepak Kumar Vasudevan30 Jan '03 - 16:42 
Hi Enki,
 
That would be a poor idea of decrypting each time. Because we are not going to change ConnectionStrings that frequently. Perhaps here comes the advantage of ASP.NET Caching Strategies.
 
You can cache the connectionstring and retrieve the item from Cache. If the item is not found in Cache, then read from Web.Config, insert it into Cache and proceed.
 
Did this solve your problem?
 
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
Sign In·View Thread·Permalink
GeneralRe: hmm ...memberEnki4231 Jan '03 - 1:22 
Ok, so a jumped a bit on the speed issue, but that doesn't change the fact that its still insecure because its just security through obscurity which is really the main issue here.
Sign In·View Thread·Permalink
GeneralRe: hmm ...memberThePhoenix8 Jul '03 - 22:20 
Agree with the hmm... definitely security through obfuscation. If you want to protect the connection string, then surely the best process is just to set the NTFS permissions on web.config so that only the ASP.NET worker process and any required personnel can access it. This will also protect the other information in web.config (which you probably wouldn't really want people changing).
 
Now, what is a signature??? Roll eyes | :rolleyes:
Sign In·View Thread·Permalink
GeneralRe: hmm ...sussAnonymous22 Feb '05 - 10:27 
when IIS is exploited, it would be ASP.Net account that's being used. Which means the connection string will be only open to the hacker that exploited the system.
Sign In·View Thread·Permalink
GeneralRe: hmm ...sussAnonymous12 Oct '05 - 7:19 
By default IIS runs under SYSTEM account and aspnet_wp.exe under 'IUSR_xxxxxx' account.
Just revoke any rights for SYSTEM against Web.config.
Even better(worse), impersonation can allow you to run aspnet_wp's worker threads under different win account.
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 23 May '13 - 18:52Refresh12 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Here we would discuss some simple steps, which would facilitate keeping our database connection strings safe and encrypted in Web.Config.
Type Article
Licence CPOL
First Posted 25 Jan 2003
Views 126,920
Bookmarked 61 times

, +
Top News

The Next Version of Android - Some of What's Coming

Get the Insider News free each morning.
Related Videos
83 Construct 2 - Building Strings
Strings in Javascript
Secutirty at your Hands: Encryption of Configuration file in Whidbey
Encryption of Connection Strings Inside the Web.config in ASP.NET 2.0
DPAPI and Triple DES: A powerful combination to secure connection strings and other application settings
Enhancements done for storing connection strings in Visual Studio 2005
Unraveling the Mysteries of .NET 2.0 Configuration
Programmatic Adding Custom Encrypted Configuration Section in ASP.NET
Managing Connection Strings for Web Farms in ASP.NET 2.0
WebRequest Parameter Utility
ASP.NET Providers for the ADO.NET Entity Framework
Strategy to distribute secure database connection strings in an enterprise environment
Web.config File - ASP.NET
ADO.NET Connection Pooling at a Glance
An introduction to Web Service Security using WSE - Part I
Encrypt or Decrypt Connection Strings in web.config file using ASP.NET
Read Configuration Settings of Web.config using Javascript
Securing ASP.NET Applications
A Windows Communication Foundation (WCF) Overview
Role-based Security with Forms Authentication
Encrypt or Decrypt Connection Strings in web.config file using asp.net.
ADO.NET 101: SQL Connection
Permalink | Advertise | Privacy | Mobile
Web01 | 2.6.130523.1 | Last Updated 26 Jan 2003
Article Copyright 2003 by Vasudevan Deepak Kumar
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid