My Portal Project

Having recently debugged a Domino application that stored RDBMS credentials in the Notes.ini file on the server, I was reminded of a very powerful feature that was built in to the .NET 2.0 platform. That is the ability to encrypt portions of an applications “web.config” file.

We all know that the physical security of our servers is the first layer of application security, but few ever think about development servers. These servers tend to allow developers alot more access than normal, and this opens up a Pandora’s box where the potential for even non-developers to get ahold of some DB connection strings becomes a possibility.

The encryption can use the default, machine-specific cypher, or even an RSA key in the event that you use a server farm. The encryption can be done from a command line with the use of the aspnet_regiis.exe tool, and it can be programmatically done. This can be a useful feature if you work in a very secure environment where password changes are forced on a periodic basis. You can have a scheduled process that changes your password, updates your web.config, and the re-encrypts it.

Here is some VB.NET code to encrypt and decrypt any given section

Import System.Web.Configuration

Public Sub EncryptSection(ByVal strSection As String)
    Dim config As System.Configuration.Configuration =
WebConfigurationManager.OpenWebConfiguration(HttpContext.Current.Request.ApplicationPath)
    Dim section As ConfigurationSection = config.Sections(strSection)
    If Not section.SectionInformation.IsProtected Then
        section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
        config.Save()
    End If
End Sub

Public Sub DecryptSection(ByVal strSection As String)
    Dim config As System.Configuration.Configuration =
WebConfigurationManager.OpenWebConfiguration(HttpContext.Current.Request.ApplicationPath)
    Dim section As ConfigurationSection = config.Sections(strSection)
    If section.SectionInformation.IsProtected Then
         section.SectionInformation.UnprotectSection()
         config.Save()
    End If
End Sub

This entry was posted on Wednesday, March 1st, 2006 at 11:03 am and is filed under Microsoft, Code Bin, .NET for Domino Devs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.