Monday, April 16, 2007

Encrypted connection strings and Enterprise Library

A very important aspect of a web application is security. We use authentication, encrypted passwords, SSL and so on. But what we all have in out web.config file is a Connection String - with a password in it. There are two ways to minimise this security breach:

  1. use integrated security, so that the connection string looks something like: add key="DBConnStr"      value="server=(local);Integrated Security=SSPI;database=MyDB"

  2. encrypt the connection string

The first option seams safe, but the application will use the system user to access the database, which is not that secure after all.

The second option is the best choice. The query string would look something like this:

key="DBConnStr" value="8cEr3iC2W9ITIqNm4UA5YH7HfrGiZzA5a6acrx4G"

You would have to decrypt the connnection string each time you use it.

But if you use Enterprise Library for the data access layer, this option is not usable. So, what is to be done? Fortunately, Microsoft provides us with the possibility of having encrypted keys that EL can read. And methods that do the job.

Before:

< add name="DefaultDB" connectionString="Data source=sql01; Initial Catalog=MyCat; User Id=sa; Password=pwwd; " providerName="System.Data.SqlClient" / >     

Actions:

1. edit web.config by adding the following section:                        type="System.Configuration. RsaProtectedConfigurationProvider , System.Configuration, Version=2.0.0.0, Culture=neutral,  processorArchitecture=MSIL" keyContainerName= "connectionTestKey" / >    

2. generate a new RSA cryptographic key container:

aspnet_regiis -pc "connectionTestKey" -exp

This will create a new machine level key container in the following location:

C:/ Documents and Settings/ All Users/ Application Data/ Microsoft/ Crypto/ RSA/MachineKeys

Make sure the ASPNET account has read access in this directory.

3. grant access to the key container aspnet_regiis -pa "connectionTestKey" "ASPNET"

4. Encrypt the section of your web.config file

aspnet_regiis -pe "connectionStrings" -app "/virtual_directory_name"

After:

 

Posted by Madalina at 16:19:36 | Permanent Link | Comments (0) |