We will talk about securing a specific entry in Web.config file using the utilities that ASP.NET provides.
Prerequisites:
(1) Make sure you have information about your current Application's identity. You can know this by writing this code inside your code: "Current Application is running as: " + WindowsIdentity.GetCurrent().Name
(2) By clicking on the IIS management 'sites' tab, you will know the siteID of your application.
Steps:
(1) Modify web.config file to identify the key container (key container is where key will be stored after encryption)
Add This:
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,processorArchitecture=MSIL"
keyContainerName="MyRSA"
useMachineContainer="true"/>
Here MyRSA is the keycontainername which will be used in future.
(2) You may wish to modify the configuration tag to let it recognize proper XML namespaces:
Otherwise web.config file may not recognize some type above
(3) Create key container on server:
e.g. C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -pc "MyRSA" -exp
Creating RSA Key container...
Succeeded!
it goes inside
<%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys> You can check the modified date
(4) Grant access to the key container. Access should be given to the application's identity. Application's identity is the one from prerequisite step 1 above. For me it was "IIS APPPOOL\DefaultAppPool"
e.g. C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa "MyRSA" "IIS APPPOOL\DefaultAppPool"
Adding ACL for access to the RSA Key container...
Succeeded!
(5) Same as 4 above:
e.g. C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa "NetFrameworkConfigurationKey" "IIS APPPOOL\DefaultAppPool"
Adding ACL for access to the RSA Key container...
Succeeded!
(6) Encrypt the entry inside Web.config file. I wanted to encrypt the connectionStrings section of my Web.config file.
e.g. C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pe "connectionStrings" -app "/ui1" -site "1"
Encrypting configuration section...
Succeeded!
For me, siteid was 1 shown in IIS console. and 'ui1' was the alias name for my application1.
(7) If you want to encypt another UI app with same key, you can run again.
e.g. C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pe "connectionStrings" -app "/ui2" -site "1"
Encrypting configuration section...
Succeeded!
You can see that siteID is same for both of the apps.
NOTE: 1. If you want to modify the username/passwords or other sensitive information inside Web.config file, decrypt the config file, edit/save and encrypt again.
Command to decrypt the connectionStrings:
run: aspnet_regiis.exe -pd "connectionStrings" -app "/ui1" -site "1"
for app2: aspnet_regiis.exe -pd "connectionStrings" -app "/ui2" -site "1"
After changing passwords, run step 6 and 7 again.
2. C# code automatically decrypts the Web.config file entries when application runs so no need to write extra code.
Hope this helps....
No comments:
Post a Comment