asp.net web.config encryption

Question

why is it considered correct practice to encrypt sensitive data in web.config before deployment? if the website is hosted on-site, how can it be a risk not to encrypt this data?

Answer 1

our web.config contains information like connection strings and server user id and passwords.

We encrypt the config file to prevent such data.

You can get the details for enrypting here :

http://msdn2.microsoft.com/en-us/library/ms998283.aspx

Answer 2

In the "good old" ASP days a vulnerability was discovered where, when you appended ::$DATA to a URL you could view the source code of an ASP page.

In ASP.NET 1.0 it was possible to bypass forms authentication with a specially crafted URL.

Encrypting sensitive parts of a web.config is part of a defence in depth strategy. You don't know if an undiscovered problem in ASP.NET will bypass it's protection of a configuration file and suddenly expose the file for all the world to see. By not encrypting you are only relying on ASP.NET to not serve configuration files, a single layer of defence which may at some point be breached.

As an added bonus you protect yourself against doing something silly like backing up your web.config to web.config.bak - which would no longer be protected against downloading and is a filename that some security tools check for when scanning a web site.

Answer 3

Of course in most situations it would be hard for a hacker to gain access to your web.config file since it is treated differently by asp.net and will not allow it to be directly readable.

However there are many reasons that you would want to encrypt the web.config for a public facing web server.

Two reasons I can think of:

1) There is always a chance that somehow a hacker manages to read your web.config in one way or another. If a hacker manages to compromise your web server, having your web.config encrypted would at least slow down, if not stop a hacker from gaining access to your database.

In many hosting environments the database would reside on a entirely different physical machine. Also hackers tend to find databases a lot more useful to hack than a website, since it potentially could contain sensitive information such as credit card numbers, addresses, birth dates, passwords.. etc..

2) Another reason if you have multiple people doing maintenance to your web server/farm and you do not want certain people to be able to access your database, but you still want them to have access to your web server so that they can do maintenance tasks. This way they do not see the log-on credentials of your database in plain text in your web.config.

Answer 4

the risk depends on the value of the data you keep on the database, and what could happend if that data could be compromise or delete.

Answer 5

I believe if someone accidentally disables ASP.Net users can access .config files.

I've seen it happen with PHP includes. Someone messes with an apache setting and suddenly all php source code is visible including connection strings.