This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 SecCommsdotNet"
(Created page with "==Password protection and sensitive information== The web.config files might include sensitive information in the connection strings such as database passwords, mail server us...") |
|||
| Line 18: | Line 18: | ||
Even though encrypting sections is possible, not all sections can be encrypted, specifically, sections that are read before user code is run. The following sections cannot be encrypted: | Even though encrypting sections is possible, not all sections can be encrypted, specifically, sections that are read before user code is run. The following sections cannot be encrypted: | ||
| − | <processModel> | + | *<processModel> |
| − | <runtime> | + | *<runtime> |
| − | <mscorlib> | + | *<mscorlib> |
| − | <startup> | + | *<startup> |
| − | <system.runtime.remoting> | + | *<system.runtime.remoting> |
| − | <configProtectedData> | + | *<configProtectedData> |
| − | <satelliteassemblies> | + | *<satelliteassemblies> |
| − | <cryptographySettings> | + | *<cryptographySettings> |
| − | <cryptoNameMapping> | + | *<cryptoNameMapping> |
| − | <cryptoClasses> | + | *<cryptoClasses> |
| Line 36: | Line 36: | ||
RSA machine key containers are stored in the following folder: | RSA machine key containers are stored in the following folder: | ||
| − | \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys | + | |
| + | \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys | ||
==User Key Container== | ==User Key Container== | ||
When the application that needs to be protected is in a shared hosting environment and protection of sensitive data cannot be accessible to other applications, the user key container is strongly recommended. In this case each application should have a separate identity. | When the application that needs to be protected is in a shared hosting environment and protection of sensitive data cannot be accessible to other applications, the user key container is strongly recommended. In this case each application should have a separate identity. | ||
RSA user-level key containers are stored in the following folder: | RSA user-level key containers are stored in the following folder: | ||
| − | \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA | + | |
| + | \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA | ||
==References== | ==References== | ||
Revision as of 22:37, 14 July 2013
Password protection and sensitive information
The web.config files might include sensitive information in the connection strings such as database passwords, mail server user names among others.
Sections that are required to be encrypted are:
<appSettings>. This section contains custom application settings. <connectionStrings>. This section contains connection strings. <identity>. This section can contain impersonation credentials. <sessionState>. This section contains the connection string for the out-of-process session state provider.
Passwords and user names contained in a <connectionstring> section should be encrypted. ASP.NET allows you to encrypt this information by using the functionality aspnet_regiis .This utility is found in the installed .NET framework under the folder
%windows%\Microsoft.NET\Framework\v2.0.50727
You can specify the section you need to encrypt by using the command:
aspnet_regiis -pef sectiontobeencryoted .
Encrypting sections in Web.Config file
Even though encrypting sections is possible, not all sections can be encrypted, specifically, sections that are read before user code is run. The following sections cannot be encrypted:
*<processModel> *<runtime> *<mscorlib> *<startup> *<system.runtime.remoting> *<configProtectedData> *<satelliteassemblies> *<cryptographySettings> *<cryptoNameMapping> *<cryptoClasses>
Machine-Level RSA key container or User-Level Key Containers
Encrypting a single file has its disadvantages when this file is moved to another servers. In this case, the user of an RSA key container is strongly advice. The RSAProtectedConfigurationProvider supports machine-level and user-level key containers for key storage.
RSA machine key containers are stored in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
User Key Container
When the application that needs to be protected is in a shared hosting environment and protection of sensitive data cannot be accessible to other applications, the user key container is strongly recommended. In this case each application should have a separate identity. RSA user-level key containers are stored in the following folder:
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
