Although the post editor is correct in Blog Engine.NET, it comes to a headache when you want to format code snippets…

Here is the perfect solution, that will take you 10’ to setup… and hours to enjoy :

• install windows live writer
• install the “Paste for Visual Studio” plug-in
• configure the Live Writer for your blog

Now to paste a nicely formatted code, just copy in Visual Studio, and paste with the plug-in button in Live Writer…

And get the easy cool formatted code…

    Sub Application_OnStart()
        
        If ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings") Is Nothing _
        OrElse CType(ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings"), Boolean) = True Then
            
            ' check that web.config connection is encrypted
            Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(HttpRuntime.AppDomainAppVirtualPath)
            Dim section As ConfigurationSection = config.GetSection("connectionStrings")
            If (section.SectionInformation.IsProtected) = False Then
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
                config.Save()
            End If
        End If
                   
    End Sub

Enjoy !

Following the recent discovery of this asp.NET security flaw, i checked all my production web.config to set the correct custom errors,
and also to verify that connection strings are encrypted.

As you certainly now, you can do it on the server with the aspnet-regiis.exe command..;
but you have to run it manually, and take care not to upload an unencrypted web.config later... not very practical when you manage dozens of websites...

As there is an easy way to encrypt web.config section programmatically,
i found wise to have the application_start check that the connectionString is encrypted, and do it automatically otherwise...

Sub Application_OnStart()
        
        Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(HttpRuntime.AppDomainAppVirtualPath)
        Dim section As ConfigurationSection = config.GetSection("connectionStrings")
            If (section.SectionInformation.IsProtected) = False Then
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
                config.Save()
            End If
                          
End Sub

To avoid encrypting the connection on the development server, i simply added a test and a key in the appsettings...

    Sub Application_OnStart()
        
        If ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings") Is Nothing _
        OrElse CType(ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings"), Boolean) = True Then
            
            Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(HttpRuntime.AppDomainAppVirtualPath)
            Dim section As ConfigurationSection = config.GetSection("connectionStrings")
            If (section.SectionInformation.IsProtected) = False Then
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
                config.Save()
            End If
        End If

                   
    End Sub

appsettings key :

    <appSettings>
        <add key="AutomaticallyEncryptConnectionStrings" value="false"/>      
    </appSettings>

Please note that i used HttpRuntime.AppDomainAppVirtualPath and not  Request.ApplicationPath,
because there is no context available in Application_start when running in integrated mode

Now I can again sleep soundly...

There is a serious security flaw in asp.net framework, that should be adressed immediately.

This hole was revealed some hours ago by microsoft, see ASP.NET vulnerability, and could allow an attacker to access any file on the website,
including sensitive information (database connection strings, web.config)

Microsoft security advisory
Test script to run on the server to check vulnerabilities

The workaround is rather simple: be sure to set all custom errors to "on" and to a single file

<configuration>       

   <system.web>

      <customErrors mode="On" defaultRedirect="~/error.html" />

   </system.web>       

</configuration>

read more about the workaround

btw, i took the occasion to check that all my connection strings are encrypted on the production server...
easy to do with aspnet-regiis.exe

-- Concrete example of encrypting the Web.config file for a particular website...
aspnet_regiis.exe -pef "connectionStrings" "C:\Inetpub\wwwroot\MySite" –prov "DataProtectionConfigurationProvider"

More info about encrypting connection strings

A great post with More information about the flaw, including a demo of a possible attack

Of course, i immediately patched my client's websites...