<< ASP.NET Custom Errors Security Flaw | Blog Engine, Windows Live Writer & Code formatting.. >>

Automatically encrypt connection strings in web.config

September 18, 2010 17:06 by author

Following the recent discovery of this asp.NET security flaw, i checked all my production web.config to set the correct custom errors,
and also to verify that connection strings are encrypted.

As you certainly now, you can do it on the server with the aspnet-regiis.exe command..;
but you have to run it manually, and take care not to upload an unencrypted web.config later... not very practical when you manage dozens of websites...

As there is an easy way to encrypt web.config section programmatically,
i found wise to have the application_start check that the connectionString is encrypted, and do it automatically otherwise...

Sub Application_OnStart()
        
        Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(HttpRuntime.AppDomainAppVirtualPath)
        Dim section As ConfigurationSection = config.GetSection("connectionStrings")
            If (section.SectionInformation.IsProtected) = False Then
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
                config.Save()
            End If
                          
End Sub

To avoid encrypting the connection on the development server, i simply added a test and a key in the appsettings...

    Sub Application_OnStart()
        
        If ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings") Is Nothing _
        OrElse CType(ConfigurationManager.AppSettings("AutomaticallyEncryptConnectionStrings"), Boolean) = True Then
            
            Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(HttpRuntime.AppDomainAppVirtualPath)
            Dim section As ConfigurationSection = config.GetSection("connectionStrings")
            If (section.SectionInformation.IsProtected) = False Then
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
                config.Save()
            End If
        End If

                   
    End Sub

appsettings key :

    <appSettings>
        <add key="AutomaticallyEncryptConnectionStrings" value="false"/>      
    </appSettings>

Please note that i used HttpRuntime.AppDomainAppVirtualPath and not Request.ApplicationPath,
because there is no context available in Application_start when running in integrated mode

Now I can again sleep soundly...

eb78b49f-1f99-449d-8193-4693b9a00c2a|2|5.0

Tags: asp.net, security, web.config
Categories: Asp.NET
Actions: E-mail | Kick it! | Permalink | comment

Comments (0) | RSS comment feed

Comment RSS

Minify css and jss files automatically with Visual Studio Web Deployment ProjectsAfter googling for some time, i finally found the perfect solution to minify css stylesheets and jav...ASP.NET Custom Errors Security FlawThere is a serious security flaw in asp.net framework, that should be adressed immediately. Th...Blog Engine, Windows Live Writer & Code formatting..Although the post editor is correct in Blog Engine.NET, it comes to a headache when you want to form...

Luuuukke.NET

Automatically encrypt connection strings in web.config

Twitter

Month List

Luuuukke.NET

Automatically encrypt connection strings in web.config

Twitter

Tag cloud

Month List