CRV2 SecCommsdotNet

From OWASP
Revision as of 17:33, 14 July 2013 by Johanna Curiel (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Password protection and sensitive information

The web.config files might include sensitive information in the connection strings such as database passwords, mail server user names among others.

Sections that are required to be encrypted are:

<appSettings>. This section contains custom application settings.
<connectionStrings>. This section contains connection strings.
<identity>. This section can contain impersonation credentials.
<sessionState>. This section contains the connection string for the out-of-process session state provider.

Passwords and user names contained in a <connectionstring> section should be encrypted. ASP.NET allows you to encrypt this information by using the functionality aspnet_regiis .This utility is found in the installed .NET framework under the folder

%windows%\Microsoft.NET\Framework\v2.0.50727

You can specify the section you need to encrypt by using the command:

aspnet_regiis -pef sectiontobeencryoted .

Encrypting sections in Web.Config file

Even though encrypting sections is possible, not all sections can be encrypted, specifically, sections that are read before user code is run. The following sections cannot be encrypted:

<processModel> <runtime> <mscorlib> <startup> <system.runtime.remoting> <configProtectedData> <satelliteassemblies> <cryptographySettings> <cryptoNameMapping> <cryptoClasses>


Machine-Level RSA key container or User-Level Key Containers

Encrypting a single file has its disadvantages when this file is moved to another servers. In this case, the user of an RSA key container is strongly advice. The RSAProtectedConfigurationProvider supports machine-level and user-level key containers for key storage.


RSA machine key containers are stored in the following folder: \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

User Key Container

When the application that needs to be protected is in a shared hosting environment and protection of sensitive data cannot be accessible to other applications, the user key container is strongly recommended. In this case each application should have a separate identity. RSA user-level key containers are stored in the following folder: \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA

References