Step 1: Exploring ASP.NET 2.0 s Protected Configuration OptionsĪSP.NET 2.0 includes a protected configuration system for encrypting and decrypting configuration information. In addition to encrypting your connection strings, you can help harden your system by ensuring that you are connecting to the database in a secure fashion. This tutorial concludes with a look at Microsoft's recommendations for connecting to a database from an ASP.NET application. NET Framework version 2.0 includes a protected configurations system that makes programmatically encrypting and decrypting selected configuration sections a breeze. In this tutorial we will look at techniques for protecting such sensitive configuration information. This information is typically found in the following Web.config sections: What harm can an attacker perpetrate if they know the name of the default Theme used by your ASP.NET pages?Ĭertain Web.config sections, however, contain sensitive information that may include connection strings, user names, passwords, server names, encryption keys, and so forth. This means that visitors cannot view your Web.config file s contents by simply entering into their browser s Address bar.įigure 1: Visiting Web.config Through a Browser Returns a This type of page is not served Message ( Click to view full-size image)īut what if an attacker is able to find some other exploit that allows her to view your Web.config file s contents? What could an attacker do with this information, and what steps can be taken to further protect the sensitive information within Web.config? Fortunately, most sections in Web.config do not contain sensitive information. config extension is handled by the ASP.NET engine, which returns the This type of page is not served message shown in Figure 1. By default, any HTTP request to a file with the. Since Web.config may contain sensitive data such as connection strings, it is important that the contents of Web.config be kept safe and hidden from unauthorized viewers. Later, in the Master Pages and Site Navigation tutorial, we manually updated Web.config, adding a element indicating that all of the ASP.NET pages in our project should use the DataWebControls Theme. When creating the Northwind Typed DataSet in the first tutorial, for example, connection string information was automatically added to Web.config in the section. Over the course of these tutorials we have updated the Web.config a handful of times. IntroductionĬonfiguration information for ASP.NET applications is commonly stored in an XML file named Web.config. In this tutorial we learn that ASP.NET 2.0 allows us to protect sensitive information by encrypting sections of the Web.config file. By default this file will not be served to a Web site visitor, but an administrator or a hacker may gain access to the Web server's file system and view the contents of the file. Some of this information is sensitive and warrants protection. An ASP.NET application typically stores configuration information in a Web.config file.
0 kommentar(er)
