0

I want to use my windows 10 pro desktop to be a web server in a LAN. I use IIS and i already success deploy the web app. Now, i want to secure the web config. So i search in google and found i can encrypt it with aspnet_regiis. I already success to encrypt with aspnet_regiis -pef "connectionStrings" "D:\TEST" and decrypt with aspnet_regiis -pdf "connectionStrings" "D:\TEST"

Now, my question is if my computer have other windows user with administrator level, he/she can also decrypt my web config with aspnet_regiis -pdf "connectionStrings" "D:\TEST" command. How to prevent he/she to decrypt my web config?

Liudi Wijaya
  • 898
  • 2
  • 8
  • 24
  • 1
    I think it's pretty much game over if your threat level have administrative right. regiis depends on machine key, and while you *could* tell it to use a specific key container https://stackoverflow.com/questions/7998666/asp-net-encryption-aspnet-regiis-farm any administrator can just reset the access right to that container and get it themselves.. – Martheen May 16 '20 at 04:40
  • in some scenario, we need to do encryption and decryption with a specific cryptography method. to implement that, we can use custom web.config encryption with 'Protected Configuration Provider'. But as you said if you need to implement the security in the user-level, I think you may need read this [Microsoft('https://learn.microsoft.com/en-us/previous-versions/aspnet/f5cs0acs(v=vs.100)')] – Matt Qafouri May 18 '20 at 04:56

1 Answers1

0

By default, decryption on machine done with DPAPI which means anyone with access to the machine can encrypt/decrypt. If you want to only allow administrators and the web app can perform the decryption, then you need to use the RSA provider (instead of DPAPI). This will allow you to create a key in a key container and then you can assign a DACL to the key container for the account you want access to the key.

ASP.NET web.config encryption security

https://inthetechpit.com/2019/05/21/encrypt-web-config-with-rsa-encryption/

Jalpa Panchal
  • 8,251
  • 1
  • 11
  • 26