Do you put your connection strings in web.config?

Don’t we all? Isn’t it what we were told to do. ASP.NET protects the web.config file so nobody can browse to it and see your connection strings, logins and passwords and whatever else you have hidden in there. Right?

But guess what, that’s just not good enough anymore! Hackers who know how to get into your webserver and get around asp.net can get at the web.config file.

This is one of the things we are talking about in the DevDays ASP.NET Security track.

One of the ways to protect the strings is to encrypt them (which isn’t so hard) but decrypting them *is* (and should be, if you think about it…). DPAPI (a win32 api – not managed code) is used to handle the keys for encrypting and decrypting your data but it is pretty confusing to use especially if you are not used to dealing with unmanaged code. (In that case, if you want to get more comfy with that, keep up with Sam Gentile’s MSDN series on COM Interop.)

Enter the Configuration Management Application Block for .NET . Among it’s features is it’s ability handle this encryption/decryption for you.

How does the Configuration Management Application Block improve the security and integrity of application configuration data?

Regardless of the type of data or the store in which the data is held, you can configure the Configuration Management Application Block to use the data signing and encryption services provided by a Data Protection Provider. The Configuration Management Application Block provides two Data Protection Provider implementations and the extensible architecture of the Configuration Management Application Block means that you can easily seamlessly integrate your own Data Protection Provider implementation

Phew! (You’d be saying that too if you looked at the code for working with DPAPI.)

Also – Whidbey will have a managed wrapper for DPAPI so a lot of this will be easier to do yourself down the road. My understanding is that this is actually related to the work that was done for the App Block. (Or maybe the other way around?)

  Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!  

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.