3

Here are my connections strings:

  <connectionStrings>
    <add name="ArticleDbContext" connectionString="Data Source=|DataDirectory|MyBlog.sdf" providerName="System.Data.SqlServerCe.4.0" />
    <add name="BlogDbContext" connectionString="Data Source=|DataDirectory|MyBlog.sdf" providerName="System.Data.SqlServerCe.4.0" />
    <add name="CompanyDbContext" connectionString="Data Source=|DataDirectory|MyBlog.sdf" providerName="System.Data.SqlServerCe.4.0" />
    <add name="UserProfileDbContext" connectionString="Data Source=|DataDirectory|MyBlog.sdf" providerName="System.Data.SqlServerCe.4.0" />
    <add name="ApplicationServices" connectionString="Data Source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb1.mdf;User Instance=true" providerName="System.Data.SqlClient" />
  </connectionStrings>

I was reading this http://msdn.microsoft.com/en-us/library/ms181873(v=vs.90).aspx on Considerations for Implementing Applications.

I believe I should put passwords on these and then encrypt. Is that correct, and how do I do it after the fact? Is there any concern with putting passwords in my web.config file? I read something about decompilers being able to read your passwords... Is this a real threat? What can I do to secure this app?

user1477388
  • 20,790
  • 32
  • 144
  • 264

2 Answers2

3

You should always encrypt sensitive information stored in a config file. You can do it programmaticaly or via aspnet_regiis (see docs for more details).

Why?

Because people can download a web.config file in plain text through different vulnerabilities and then they can read all the connection strings, user names, passwords etc.

Possible attack list:

  • MS10-070 with a video
  • Any other user on the machine can read web.config. This adds a huge list off all disclosed and non-disclosed attacks on the OS itself.
  • Attack on the IIS FTP and subsequent web.config transmission, for example this one
Community
  • 1
  • 1
oleksii
  • 35,458
  • 16
  • 93
  • 163
  • 1
    Do you have a link to share more information on the vulnerabilities youi mention? – Jared Peless Aug 27 '12 at 12:23
  • I was looking through the docs you sent, but there are many pages and it is difficult to understand. Can you link me to a good and simple tutorial if one exists, or send me so helpful examples of how to encrypt passwords in my web config? I do link to an external database in my web.config file. – user1477388 Aug 27 '12 at 12:58
  • 2
    @user1477388 take a look at [this post](http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx). It's got some links to super simple tutorials. – oleksii Aug 27 '12 at 13:28
  • The code on this page http://www.developerfusion.com/code/5263/encrypting-webconfig-sections-in-aspnet-20/ which reads `Configuration config = Configuration.GetWebConfiguration(Request.ApplicationPath); ConfigurationSection section = config.Sections["connectionStrings"]; section.ProtectSection ("DataProtectionConfigurationProvider"); config.Update(); ` - where do I put it? Thanks. – user1477388 Aug 27 '12 at 13:57
  • 1
    @user1477388 the usual place would be in the `global.asax` file in on of the events `Application_Start`. Check [this SO](http://stackoverflow.com/a/9401935/706456) question for the direct sample. – oleksii Aug 27 '12 at 15:56
1

Probably not. The passwords in a web.config file usually expose authentication details for connecting to remote SQL servers (or other database). This is the sort of thing you'd want to protect.

Your database files are of the file variety (stored locally ) and your SQL Express database is accessible using integrated security, so I'd say that you're okay to leave thing as you are.

Adrian Thompson Phillips
  • 6,893
  • 6
  • 38
  • 69