Web.config

RE: Web.config


The web.config file is human readable, and not encoded - meaning, yes, if
you are concerned with security, you should encrypt (or store elsewhere)
sensitive data like connection strings. The web.config file is a means of
altering the state of an application while it's running, without shutting
down services.

One solution is to encrypt the connection string (or any sensitive data)
using the available crypto classes in the security assembly. Then you can
decrypt the connection string when it's needed by the application. I'll
paste some sample code for this below.


Charlie Nilsson [msft]
Visual Studio Update


'############## ############### ############### ############### #######
' Sample encryption code in VB
'############## ############### ############### ############### #######
Imports System
Imports System.IO
Imports System.Security .Cryptography
Imports System.Text

Public Class MyCryptoClass

'private key - enter random numbers here
Private Shared key() As Byte = {12, 52, 53, 124, 33, 36, 77, 48, 29, 50,
111, 112, 213, 14, 135, 116, 167, 198, 109, 200, 211, 29, 33, 35}
'init vector
Private Shared iv() As Byte = {12, 125, 37, 140, 65, 56, 76, 18, 99, 107,
122, 123, 153, 114, 159, 196, 179, 198, 192, 220, 212, 123, 33, 54}

'############## ############### ############### ############### #######
' Encrypt
' - Encrypts a plaintext string
'############## ############### ############### ############### #######
Public Shared Function Encrypt(ByVal plainText As String) As String
Dim cryptoProvider As TripleDESCrypto ServiceProvider = New
TripleDESCrypto ServiceProvider
Dim ms As MemoryStream = New MemoryStream
Dim cs As CryptoStream = New CryptoStream(ms ,
cryptoProvider. CreateEncryptor (key, iv), CryptoStreamMod e.Write)
Dim sw As StreamWriter = New StreamWriter(cs )
sw.Write(plainT ext)
sw.Flush()
cs.FlushFinalBl ock()
ms.Flush()
'convert back to a string
Return Convert.ToBase6 4String(ms.GetB uffer(), 0, ms.Length)
End Function

'############## ############### ############### ############### #######
' Decrypt
' - Decrypts a plaintext string
'############## ############### ############### ############### #######
Public Shared Function Decrypt(ByVal encodedText As String) As String
Dim cryptoProvider As TripleDESCrypto ServiceProvider = New
TripleDESCrypto ServiceProvider
'convert from string to byte array
Dim buffer As Byte() = Convert.FromBas e64String(encod edText)
Dim ms As MemoryStream = New MemoryStream(bu ffer)
Dim cs As CryptoStream = New CryptoStream(ms ,
cryptoProvider. CreateDecryptor (key, iv), CryptoStreamMod e.Read)
Dim sr As StreamReader = New StreamReader(cs )
Return sr.ReadToEnd()
End Function

End Class






















--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at



















Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.


--------------------[color=blue]
> Reply-To: "Chris Fink" <chris@chrisfin k.com>
> From: "Chris Fink" <chris@chrisfin k.com>
> Subject: Web.config
> Date: Fri, 11 Jul 2003 11:55:43 -0400
> Lines: 9
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> Message-ID: <#w71iT8RDHA.24 08@TK2MSFTNGP10 .phx.gbl>
> Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
> NNTP-Posting-Host: 130.decisionone .com 192.204.130.200
> Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
> Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.framew ork.aspnet:1585 68
> X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
>
> Should the web.config file be included in my deployment, IE physically
> located in the web app's virtual directory on a release? It makes me
> nervous having my DB conn string, etc in a ASCII file so available. I am
> hoping the answer is "it gets compiled, and is placed in the
> \bin\myproject. dll file"
>
> Chris
>
>
>[/color]

Re: Web.config

Or you can use a tool like this one (or roll out your own as Charlie
suggested): http://www.obviex.com/cipherlite/. However, be aware of the risk
of embedding the key in your application source code.

Alek

"Charlie Nilsson [MSFT]" <CharlieNilsson _CUTOUT_@hotmai l.com> wrote in
message news:SyYtrd8RDH A.1636@cpmsftng xa06.phx.gbl...[color=blue]
>
> The web.config file is human readable, and not encoded - meaning, yes, if
> you are concerned with security, you should encrypt (or store elsewhere)
> sensitive data like connection strings. The web.config file is a means of
> altering the state of an application while it's running, without shutting
> down services.
>
> One solution is to encrypt the connection string (or any sensitive data)
> using the available crypto classes in the security assembly. Then you can
> decrypt the connection string when it's needed by the application. I'll
> paste some sample code for this below.
>
>
> Charlie Nilsson [msft]
> Visual Studio Update
>
>
> '############## ############### ############### ############### #######
> ' Sample encryption code in VB
> '############## ############### ############### ############### #######
> Imports System
> Imports System.IO
> Imports System.Security .Cryptography
> Imports System.Text
>
> Public Class MyCryptoClass
>
> 'private key - enter random numbers here
> Private Shared key() As Byte = {12, 52, 53, 124, 33, 36, 77, 48, 29, 50,
> 111, 112, 213, 14, 135, 116, 167, 198, 109, 200, 211, 29, 33, 35}
> 'init vector
> Private Shared iv() As Byte = {12, 125, 37, 140, 65, 56, 76, 18, 99, 107,
> 122, 123, 153, 114, 159, 196, 179, 198, 192, 220, 212, 123, 33, 54}
>
> '############## ############### ############### ############### #######
> ' Encrypt
> ' - Encrypts a plaintext string
> '############## ############### ############### ############### #######
> Public Shared Function Encrypt(ByVal plainText As String) As String
> Dim cryptoProvider As TripleDESCrypto ServiceProvider = New
> TripleDESCrypto ServiceProvider
> Dim ms As MemoryStream = New MemoryStream
> Dim cs As CryptoStream = New CryptoStream(ms ,
> cryptoProvider. CreateEncryptor (key, iv), CryptoStreamMod e.Write)
> Dim sw As StreamWriter = New StreamWriter(cs )
> sw.Write(plainT ext)
> sw.Flush()
> cs.FlushFinalBl ock()
> ms.Flush()
> 'convert back to a string
> Return Convert.ToBase6 4String(ms.GetB uffer(), 0, ms.Length)
> End Function
>
> '############## ############### ############### ############### #######
> ' Decrypt
> ' - Decrypts a plaintext string
> '############## ############### ############### ############### #######
> Public Shared Function Decrypt(ByVal encodedText As String) As String
> Dim cryptoProvider As TripleDESCrypto ServiceProvider = New
> TripleDESCrypto ServiceProvider
> 'convert from string to byte array
> Dim buffer As Byte() = Convert.FromBas e64String(encod edText)
> Dim ms As MemoryStream = New MemoryStream(bu ffer)
> Dim cs As CryptoStream = New CryptoStream(ms ,
> cryptoProvider. CreateDecryptor (key, iv), CryptoStreamMod e.Read)
> Dim sr As StreamReader = New StreamReader(cs )
> Return sr.ReadToEnd()
> End Function
>
> End Class
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no[/color]
rights.[color=blue]
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
>
>
> --------------------[color=green]
> > Reply-To: "Chris Fink" <chris@chrisfin k.com>
> > From: "Chris Fink" <chris@chrisfin k.com>
> > Subject: Web.config
> > Date: Fri, 11 Jul 2003 11:55:43 -0400
> > Lines: 9
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> > Message-ID: <#w71iT8RDHA.24 08@TK2MSFTNGP10 .phx.gbl>
> > Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
> > NNTP-Posting-Host: 130.decisionone .com 192.204.130.200
> > Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
> > Xref: cpmsftngxa06.ph x.gbl[/color][/color]
microsoft.publi c.dotnet.framew ork.aspnet:1585 68[color=blue][color=green]
> > X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
> >
> > Should the web.config file be included in my deployment, IE physically
> > located in the web app's virtual directory on a release? It makes me
> > nervous having my DB conn string, etc in a ASCII file so available. I am
> > hoping the answer is "it gets compiled, and is placed in the
> > \bin\myproject. dll file"
> >
> > Chris
> >
> >
> >[/color]
>[/color]

Re: Web.config

It must be included, in it's raw form.

However, IIS won't allow browsing the file- it's specifically DISALLOWED -
so no exposure there.
As far as local access, set Windows security for only the internal IIS user,
developers group etc to have access, and you should be OK.

"Chris Fink" <chris@chrisfin k.com> wrote in message
news:#w71iT8RDH A.2408@TK2MSFTN GP10.phx.gbl...[color=blue]
> Should the web.config file be included in my deployment, IE physically
> located in the web app's virtual directory on a release? It makes me
> nervous having my DB conn string, etc in a ASCII file so available. I am
> hoping the answer is "it gets compiled, and is placed in the
> \bin\myproject. dll file"
>
> Chris
>
>[/color]