Click here to Skip to main content
15,867,488 members
Articles / Web Development / ASP.NET

Encrypt Your Web.config, Please

Rate me:
Please Sign up or sign in to vote.
4.39/5 (18 votes)
16 Jul 2009CC (ASA 2.5)4 min read 90.8K   1.1K   83   34
Encrypt Your Web.config, Please

Introduction

If you follow me on Twitter, you may notice me talk about #BadVendor from time to time. Actually, they were recently upgraded to #EpicFailVendor when I discovered they weren’t cleaning strings before passing them into SQL queries. Needless to say, everyday has been a little more shocking than the next.

For the most part, all of these systems are things I can’t make changes to — either it’s compiled code, or I just don’t have the authority to go in and make the fixes, but there is something that I can do — encrypt their web.config files.

Making Encrypting Easier

Encrypting normally involves logging onto the server in question, locating a few mildly obscure pieces of information, and then running aspnet_regiis. It’s not that hard but it isn’t point and click easy as well.

I wanted to make it easier to update these files without needing to locate all the information each time, so I wrote a little application to make the whole process a bit easier. The utility uses credentials you supply to log into your servers via WMI and locate the required information and then encrypt your files without needing to pull up a command prompt.

I’m not really a WinForms guy and WMI is certainly not my specialty, but this program came together pretty quickly and seems to be fairly decent. It’s certainly not bug free and could use a round of refactoring to make it nicer, so any feedback is appreciated.

How It Works

The first step is to provide your credentials to the server you want to log into. If you choose to run the tool on the actual server itself, then you can leave all those fields blank (since WMI won’t use them for local connections anyways). If you aren’t an admin for that server or at least have an account with some elevated credentials, then this may not work for you.

nkript.screen1

Once you successfully connect to the server, a list of the sites on the server will be loaded along with any virtual directories (since they could potentially contain a web.config file). At this point, you can simply browse around and find the web.config you’re wanting to encrypt.

nkript.screen2

It’s worth noting that if there aren’t any web.config (that name specifically) found inside the directory, then it won’t be listed. If you happened to have something named web.temp.config, then it won’t show up on this list.

At this point, the program is going to do a little painful WMI magic and connect out to your server and load the web.config file into the view. The config file will be parsed and all the root nodes will be listed as available to be encrypted.

nkript.screen3

There are apparently some rules about what can or cannot be encrypted, so if the actual aspnet_regiis call fails, you’ll just end up with the same file as before, but you don’t get an explicit message as to why (still trying to find out how I can access messages like that in a semi-reliable WMI fashion).

There isn’t much configuration for this application. The default settings are used to perform the encryption and decryption of the web.config files, so if you are wanting to add some features on, you are more than welcome to add them in. I’d love to hear about your changes so I can add them to this version.

2gmLEwHP/vZ/NYLeiTattLFnylc= *

It’s not hard to encrypt your web.config files and keep your sensitive information safe. The command line tool aspnet_regiis offers a lot of great functions to further protect your data. Hopefully, this tool allows you to get your work done even faster (that thing up there is SHA1.ComputeHash(”*I <3 Encryption") as Base64 string).

Now, if you’ll excuse me, I need to share this tool with #EpicFailVendor. I dunno about the rest of you, but enough is enough! I’ve had it with these monkey fighting vendors not encrypting their Monday to Friday web.configs!

Mandatory disclaimer: This program is certified as ‘Works On My Machine’ – The author makes no warranties about how it might behave in your environment (but most likely, you have nothing to worry about).

Downloads

Use these links for the latest versions:

Image 4 Image 5 Image 6 Image 7 Image 8 Image 9

License

This article, along with any associated source code and files, is licensed under The Creative Commons Attribution-ShareAlike 2.5 License


Written By
United States United States
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
QuestionWhat to put in the domain Pin
IdanShechter17-Feb-13 13:59
IdanShechter17-Feb-13 13:59 
GeneralMy vote of 5 Pin
hypermellow6-Mar-12 1:31
professionalhypermellow6-Mar-12 1:31 
GeneralMy vote of 5 Pin
jfriedman3-Mar-12 10:48
jfriedman3-Mar-12 10:48 
Generallogin.aspx Pin
Ajay Kale New27-Sep-10 0:05
Ajay Kale New27-Sep-10 0:05 
Generalautomatic redirection to login.aspx Pin
Ajay Kale New10-Sep-10 4:21
Ajay Kale New10-Sep-10 4:21 
Generali agree encrypt the file Pin
Donsw21-Aug-09 17:04
Donsw21-Aug-09 17:04 
Generalthe Namespace used here support only Win 2003 Server ? [modified] Pin
vrajaraman27-Jul-09 20:36
vrajaraman27-Jul-09 20:36 
GeneralRe: the Namespace used here support only Win 2003 Server ? Pin
webdev_hb28-Jul-09 3:44
webdev_hb28-Jul-09 3:44 
GeneralMy vote of 1 Pin
MacSpudster21-Jul-09 6:51
professionalMacSpudster21-Jul-09 6:51 
GeneralRe: My vote of 1 Pin
webdev_hb21-Jul-09 7:20
webdev_hb21-Jul-09 7:20 
QuestionHow about encrypting using RSA? Pin
vrajaraman20-Jul-09 16:39
vrajaraman20-Jul-09 16:39 
AnswerRe: How about encrypting using RSA? Pin
webdev_hb20-Jul-09 17:05
webdev_hb20-Jul-09 17:05 
GeneralRe: How about encrypting using RSA? Pin
vrajaraman20-Jul-09 17:30
vrajaraman20-Jul-09 17:30 
GeneralRe: How about encrypting using RSA? Pin
webdev_hb20-Jul-09 17:37
webdev_hb20-Jul-09 17:37 
GeneralRe: How about encrypting using RSA? Pin
vrajaraman20-Jul-09 17:41
vrajaraman20-Jul-09 17:41 
GeneralRe: How about encrypting using RSA? Pin
webdev_hb20-Jul-09 18:35
webdev_hb20-Jul-09 18:35 
I honestly couldn't say with any certainty, but I would mention the following...

- The 'key' files are saved to the 'All Users' folder on the server, however, the file locked down in such a way that only members of the local admin group can read the file.

- You can change the permissions on the file, but that removes some of the security.

- You can move the file, but I'm not sure that the ASP.net application will be able to find it when it is time to actually decrypt it.

- If there is a way to find it you will have to open a network share to another server that hosts the key -- but essentially, the file is still just as accessible as if it were sitting on the same server -- and even then, the server you are hosting it on now would have access to read the file which in turn further decreases it's security.

Some of these are just speculation on how it 'could work' -- I wouldn't take me as any sort of authority on this topic Smile | :)
QuestionCouldn't read the file Pin
GregSawin20-Jul-09 9:11
GregSawin20-Jul-09 9:11 
AnswerRe: Couldn't read the file Pin
webdev_hb20-Jul-09 9:21
webdev_hb20-Jul-09 9:21 
GeneralRe: Couldn't read the file Pin
GregSawin20-Jul-09 9:34
GregSawin20-Jul-09 9:34 
GeneralRe: Couldn't read the file Pin
webdev_hb20-Jul-09 10:02
webdev_hb20-Jul-09 10:02 
GeneralRe: Couldn't read the file Pin
GregSawin20-Jul-09 11:06
GregSawin20-Jul-09 11:06 
GeneralRe: Couldn't read the file Pin
webdev_hb20-Jul-09 11:14
webdev_hb20-Jul-09 11:14 
GeneralRe: Couldn't read the file Pin
Member 1208811121-Jan-19 3:24
Member 1208811121-Jan-19 3:24 
GeneralMy vote of 1 Pin
Tawani Anyangwe17-Jul-09 2:17
Tawani Anyangwe17-Jul-09 2:17 
GeneralRe: My vote of 1 [modified] PinPopular
webdev_hb17-Jul-09 6:09
webdev_hb17-Jul-09 6:09 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.