aspnet2securityfaq0017

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs

Question: How do I protect the database connection strings in web.config file?

Answer:

To protect connection strings present in your application's web.config file, ensure that the connection strings are placed inside the <connectionStrings> setting in the web.config and then encrypt the data by using one of the protected configuration providers (RSA or DPAPI) using aspnet_regiis.exe utility.
It’s important to protect connection strings placed in configuration file, especially SQL Authentication connection strings where user credentials are used. As connection strings have information which can be exploited by an attacker.
To encrypt the connectionStrings section by using the DPAPI provider with the machine key store (the default configuration), run the following command from a command prompt: 
		 aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
* -pe specifies the configuration section to encrypt.
* -app specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory, for example "/test/aspnet/MachineDPAPI"
* -prov specifies the provider name.
The .NET Framework 2.0 SDK supports RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers, which you use with the Aspnet_regiis.exe tool:
* RSAProtectedConfigurationProvider. This is the default provider and uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple Web servers in a Web farm.
* DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.

More Information

For more information on securing database connection strings, see “How To; Encrypt Configuration Sections Using DPAPI” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp and “How TO: Encrypt Configuration Sections Using RSA” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000006.asp

Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities