This article is to give an idea how we can achieve security in web.config file, its a basic practice to store our Database connection string in web.config file. This avoids hard coding and you can always change as and when required but the problem is anybody who has access to solution can see the user name and passwords of the database and can be changed. To avoid this kind of problem Microsoft provides a tool called aspnet_setreg.exe this will help us to encrypt connection string or any other information you want to be secured.
Aspnet_setreg.exe is tool which will create an encrypted registry entry for your values; you can encrypt any of the web.config key values using this tool.
How to do? For example your database connection string is DSN=test;uid=test;pwd=test; like this then you web.config entry would be.
[source:c#]
<configuration>
<appSettings>
<add key=” DSN=test;uid=test;pwd=test” />
</aapSetting>
</configuration>
[/source]
But in above entry you can always see the user name and password of the database.
Now we will see how to use aspnet_setreg.exe.
First of all you need to create a registry entry using aspnet_setreg.exe
Example to create:
aspnet_setreg.exe -k:SOFTWARE\Your_Service\SessionState -c:sqlConnectionString=”DSN=test;uid=test;pwd=test;”
After executing the above command, you can see a registry entry under LOCAL_MAHCINE\SOFTWARE\Your_Service\SessionState
Now the entry in web.config should be like following
<appSettings>
<add key=”sqlConnectionString”
value=”registry:HKLM\SOFTWARE\Your_Service\SessionState\ASPNET_SETREG,sqlConnectionString” />
Getting back the Connection String
Now we will see how to get the back the connection string in our project, now we are aware that our connection string encrypted and stored in the registry so to use the data retrieved from registry should be decrypted for that we need a third party free DLL called NCrypto, the source of this DLL you can download from the following location http://sourceforge.net/projects/ncrypto/ this DLL provides the function using which you can decrypt your data.
Sample code
[source:c#]
using NCrypto.Security.Cryptography;
private string DecryptString()
{
string pConnectionString = ConfigurationSettings.AppSettings _
["sqlConnectionString"]
string sSqlConnectionString = null;
try
{
char[] cSeparators = {‘:’, ‘,’};
byte[] registryBytes;
//Split the value using : character
string[] regKeyPath = pConnectionString.Split(cSeparators[0]);
//Get the Registry Key path
regKeyPath = regKeyPath[1].Split(cSeparators[1]);
RegistryKey regkeyHive = Registry.LocalMachine;
RegistryKey regKey = regkeyHive.OpenSubKey(regKeyPath[0].Replace(“HKLM\\”, “”));
//get the encrypted value
registryBytes = (byte[])regKey.GetValue(regKeyPath[1]);
//Decrypt the value into Connection String
sSqlConnectionString = Encoding.Unicode.GetString( _
ProtectedData.Unprotect(registryBytes));
sSqlConnectionString = sSqlConnectionString.Replace( _
regKeyPath[1] + “=”, “”);
}
catch(Exception e)
{
}
return sSqlConnectionString;
}
[/source]
This function get the connection string from registry and decrypted and ready for use.
Important
After creating registry entry using aspnet_setreg.exe you need to give read permission to Network Service user for the registry entry \Registry\Machine\Software\Your_Service\SessionState\ASPNET_SETREG, open regedit and navigate to this entry and give read permission to Network Service user.
Conclusion
This can be best practice to implement security in web.config file this will help us keeping our information secured.
Aspnet_setreg.exe is tool which will create an encrypted registry entry for your values; you can encrypt any of the web.config key values using this tool.
How to do? For example your database connection string is DSN=test;uid=test;pwd=test; like this then you web.config entry would be.
[source:c#]
<configuration>
<appSettings>
<add key=” DSN=test;uid=test;pwd=test” />
</aapSetting>
</configuration>
[/source]
But in above entry you can always see the user name and password of the database.
Now we will see how to use aspnet_setreg.exe.
First of all you need to create a registry entry using aspnet_setreg.exe
Example to create:
aspnet_setreg.exe -k:SOFTWARE\Your_Service\SessionState -c:sqlConnectionString=”DSN=test;uid=test;pwd=test;”
After executing the above command, you can see a registry entry under LOCAL_MAHCINE\SOFTWARE\Your_Service\SessionState
Now the entry in web.config should be like following
<appSettings>
<add key=”sqlConnectionString”
value=”registry:HKLM\SOFTWARE\Your_Service\SessionState\ASPNET_SETREG,sqlConnectionString” />
Getting back the Connection String
Now we will see how to get the back the connection string in our project, now we are aware that our connection string encrypted and stored in the registry so to use the data retrieved from registry should be decrypted for that we need a third party free DLL called NCrypto, the source of this DLL you can download from the following location http://sourceforge.net/projects/ncrypto/ this DLL provides the function using which you can decrypt your data.
Sample code
[source:c#]
using NCrypto.Security.Cryptography;
private string DecryptString()
{
string pConnectionString = ConfigurationSettings.AppSettings _
["sqlConnectionString"]
string sSqlConnectionString = null;
try
{
char[] cSeparators = {‘:’, ‘,’};
byte[] registryBytes;
//Split the value using : character
string[] regKeyPath = pConnectionString.Split(cSeparators[0]);
//Get the Registry Key path
regKeyPath = regKeyPath[1].Split(cSeparators[1]);
RegistryKey regkeyHive = Registry.LocalMachine;
RegistryKey regKey = regkeyHive.OpenSubKey(regKeyPath[0].Replace(“HKLM\\”, “”));
//get the encrypted value
registryBytes = (byte[])regKey.GetValue(regKeyPath[1]);
//Decrypt the value into Connection String
sSqlConnectionString = Encoding.Unicode.GetString( _
ProtectedData.Unprotect(registryBytes));
sSqlConnectionString = sSqlConnectionString.Replace( _
regKeyPath[1] + “=”, “”);
}
catch(Exception e)
{
}
return sSqlConnectionString;
}
[/source]
This function get the connection string from registry and decrypted and ready for use.
Important
After creating registry entry using aspnet_setreg.exe you need to give read permission to Network Service user for the registry entry \Registry\Machine\Software\Your_Service\SessionState\ASPNET_SETREG, open regedit and navigate to this entry and give read permission to Network Service user.
Conclusion
This can be best practice to implement security in web.config file this will help us keeping our information secured.
Posts
0 comments:
Post a Comment