Is it safe to store confidential settings in .cs file instead Web.config?

Question

I want to store some confidential values (such as database connection strings, some passwords) in a Setting.cs (and there in a static class) file.

Is it 100% sure, that IIS 7 is not serving this file in plain text? Or are there any known vulnerabilities?

Answer 1

.cs file extensions are not served. If you take a look in the web.config under windows\Microsoft.NET\framework\framework version\config you can search for the httpforbiddenhandler. For .cs the following line is added (.NET 4.0 is the version I took it from):

<add path="*.cs" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

Edit:
You can also make use of a custom written ProtectedConfigurationProvider to add more protection for your connectionstrings.

Answer 2

IIS won't serve files you mentioned in a plain text. (Unless you specifically configure it to do that.)

So as long as files used by IIS are safe your secrets are safe as well. (And storing secrets in .cs files is insignificantly safer but significally more convoluted that using config file. -- so I prefer using config files)

But I would recommend Encrypting Configuration Information Using Protected Configuration anyway.

Answer 3

Encrypted web.config is the way to go for maximum security...

Even if you obfuscate your assemblies, these values might still be found. If you control your own web server and no-one else can access, they're safe in both code and config, but e.g. in a shared hosting environment the domain manager automatically has access and you depend on their security rules that other users can't access it.

Especially make sure you don't do this in a Silverlight project, because that is downloaded straight to the client and can be read without a problem with tools like Reflector.

Answer 4

Add a ClassLibrary for Encrypt and Decrypt your connection informations. Here is my Cryptology service codes. Use your connection setting Encrypted

under System.Security.Cryptography; namespace

public class TripleDes
{
    readonly byte[] _key = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24 };
    readonly byte[] _iv = { 8, 7, 6, 5, 4, 3, 2, 1 };

    // define the triple des provider
    private readonly TripleDESCryptoServiceProvider _mDes = new TripleDESCryptoServiceProvider();

    // define the string handler
    private readonly UTF8Encoding _mUtf8 = new UTF8Encoding();

    // define the local property arrays
    private readonly byte[] _mKey;
    private readonly byte[] _mIv;

    /// <summary>
    /// Default constructor
    /// </summary>
    public TripleDes()
    {
        _mKey = _key;
        _mIv = _iv;
    }

    /// <summary>
    /// Parameterized constructor
    /// </summary>
    /// <param name="key"></param>
    /// <param name="iv"></param>
    public TripleDes(byte[] key, byte[] iv)
    {
        _mKey = key;
        _mIv = iv;
    }

    /// <summary>
    /// Encrypts the given byte array input
    /// </summary>
    /// <param name="input">Input value</param>
    /// <returns>Encrypted result</returns>
    public byte[] Encrypt(byte[] input)
    {
        return Transform(input, _mDes.CreateEncryptor(_mKey, _mIv));
    }

    /// <summary>
    /// Decrypts the given encrypted byte array input
    /// </summary>
    /// <param name="input">Encrypted byte array input</param>
    /// <returns>Decrypted result</returns>
    public byte[] Decrypt(byte[] input)
    {
        return Transform(input, _mDes.CreateDecryptor(_mKey, _mIv));
    }

    /// <summary>
    /// Encrypts the given string input
    /// </summary>
    /// <param name="text">Input value</param>
    /// <returns>Encrypted result</returns>
    public string Encrypt(string text)
    {
        byte[] input = _mUtf8.GetBytes(text);
        byte[] output = Transform(input, _mDes.CreateEncryptor(_mKey, _mIv));
        return Convert.ToBase64String(output);
    }

    /// <summary>
    /// Decrypts the given encrypted string input
    /// </summary>
    /// <param name="text">Encrypted string input</param>
    /// <returns>Decrypted result</returns>
    public string Decrypt(string text)
    {
        byte[] input = Convert.FromBase64String(text);
        byte[] output = Transform(input, _mDes.CreateDecryptor(_mKey, _mIv));
        return _mUtf8.GetString(output);
    }

    private static byte[] Transform(byte[] input, ICryptoTransform cryptoTransform)
    {
        // create the necessary streams
        using (MemoryStream memStream = new MemoryStream())
        {
            using (CryptoStream cryptStream = new CryptoStream(memStream, cryptoTransform, CryptoStreamMode.Write))
            {
                // transform the bytes as requested
                cryptStream.Write(input, 0, input.Length);
                cryptStream.FlushFinalBlock();
                // Read the memory stream andconvert it back into byte array
                memStream.Position = 0;
                byte[] result = memStream.ToArray();
                // close and release the streams
                memStream.Close();
                cryptStream.Close();
                // hand back the encrypted buffer
                return result;
            }
        }
    }
}

Answer 5

Neither one is safe.

When your source files are compiled, all strings can be easily accessed via tools like reflector or ildasm.

Config files are plain text, so any text editor can view such data.

Best practice is to encrypt the sensitive configuration sections.

Answer 6

I would recommend against hard coding connection strings. IIS won't serve them, there are explicit handlers registered with ASP.NET which will stop source code files from being served.

Can you not use an encrypted web.config file?