1

This post is somewhat similar to the link below. Unfortunately, I do not have enough reputation to ask a question there, so I am asking it here.

Confused on what is the correct procedure on storing passwords in Web.config for Azure deployment

The post above seems to work well if you are deploying to Azure because Azure provides a UI for you to store sensitive data, such as; passwords and keys. Thus, negating the need for an external file. However, if I am not deploying to Azure, then this functionality is assumed to not be available via other web hosting companies and so that answer does not apply.

My question is this, what is the best way to protect sensitive data both from being transmitted over the internet and from malicious users who manage to get the *.config file containing the sensitive data? Some ideas that I have though of are below.

1.) Place the sensitive data in an external file (AppSettingsSecrets.config) that is two folders up on the directory tree?

2.) Place the sensitive data in an external file (AppSettingsSecrets.config) that is in the same project, but set the file's build action to None?

3.) Place the sensitive data in the web.config file, but encrypt the section of the file that contains the sensitive data?

The reason for securing sensitive data within the *.config file itself is that in the event a malicious user manages to get the file containing the sensitive data they will be prevented from reading the sensitive data. All three options only seem to address the first question (preventing sensitive data data from being transmitted over the internet), but option 3 only seems to also address preventing malicious users who get the *.config file from reading the sensitive contents. If that is the case, then it seems like all three options are moot with respect to what file to put the sensitive data and where that file is located; just encrypt the portion of the web.config file that contains the sensitive data and move on. Am I missing something?

Community
  • 1
  • 1
J Weezy
  • 3,507
  • 3
  • 32
  • 88

2 Answers2

2

I created two handy batch files that encrypt and decrypt the appSettings and connectionStrings sections of the web.config file:

EncryptWebConfig.bat

@ECHO OFF

REM ENCRYPT THE CONTENTS CONTAINED IN THE appSettings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "appSettings" "Folder path to web.config"

REM ENCRYPT THE CONTENTS CONTAINED IN THE connectionStrings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings" "Folder path to web.config"

REM PAUSE FOR VERIFICATION ON THE SCREEN OF WHAT HAPPENED.
PAUSE

@ECHO ON

DecryptWebConfig.bat

@ECHO OFF

REM DECRYPT THE CONTENTS CONTAINED IN THE appSettings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "appSettings" "Folder path to web.config"

REM DECRYPT THE CONTENTS CONTAINED IN THE connectionStrings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "connectionStrings" "Folder path to web.config"

REM PAUSE FOR VERIFICATION ON THE SCREEN OF WHAT HAPPENED.
PAUSE

@ECHO ON
Toby Speight
  • 27,591
  • 48
  • 66
  • 103
J Weezy
  • 3,507
  • 3
  • 32
  • 88
1

I will try to give my suggestion which was already mentioned by you. The most secure way is do not put sensitive data in web config as much as possible and if their's really a need you MUST encrypt it using this method which is option 3 and move on!

Hold on, move on to what? You must move on to other security aspect of your application. Securing web config section doesn't guaratee full protection. You must harden your server, secure communication, pentesting or conduct online vulnerability test and even source code scanning. It may sounds overkill and rediculus but if you really want to mitigate security issues those I mentioned is a must. I say mitigate because now a days you and me are not secure any more! Not unless you are not connected to the internet. :)

Update : These are the tools that may help you. Some are free and some are not. It's not limited only to this

  • OWASP - for pentesting (free)
  • Nessus - for system hardening (enterprise)
  • CIS CAT - tech stack like OS, Database, WebServer etc. (membership only)
  • IBM AppScan - for source code scanning (enterprise)

If you don't want to bother doing on your own, you can delegate this security testing in third party like whitehatsec.

Alright, that's all that I have. I'm out! :)

jtabuloc
  • 2,479
  • 2
  • 17
  • 33
  • Thank you for the response and the method link. Regarding the other security measures that you mentioned, do you have any online resources that discuss this that you found helpful? You are correct, I am attempting to build security throughout the entire chain of communication both within the application and over the internet. – J Weezy Feb 08 '17 at 22:32