473,322 Members | 1,538 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Web.config

Should the web.config file be included in my deployment, IE physically
located in the web app's virtual directory on a release? It makes me
nervous having my DB conn string, etc in a ASCII file so available. I am
hoping the answer is "it gets compiled, and is placed in the
\bin\myproject.dll file"

Chris
Nov 17 '05 #1
3 4121

The web.config file is human readable, and not encoded - meaning, yes, if
you are concerned with security, you should encrypt (or store elsewhere)
sensitive data like connection strings. The web.config file is a means of
altering the state of an application while it's running, without shutting
down services.

One solution is to encrypt the connection string (or any sensitive data)
using the available crypto classes in the security assembly. Then you can
decrypt the connection string when it's needed by the application. I'll
paste some sample code for this below.
Charlie Nilsson [msft]
Visual Studio Update
'################################################# #################
' Sample encryption code in VB
'################################################# #################
Imports System
Imports System.IO
Imports System.Security.Cryptography
Imports System.Text

Public Class MyCryptoClass

'private key - enter random numbers here
Private Shared key() As Byte = {12, 52, 53, 124, 33, 36, 77, 48, 29, 50,
111, 112, 213, 14, 135, 116, 167, 198, 109, 200, 211, 29, 33, 35}
'init vector
Private Shared iv() As Byte = {12, 125, 37, 140, 65, 56, 76, 18, 99, 107,
122, 123, 153, 114, 159, 196, 179, 198, 192, 220, 212, 123, 33, 54}

'################################################# #################
' Encrypt
' - Encrypts a plaintext string
'################################################# #################
Public Shared Function Encrypt(ByVal plainText As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = New
TripleDESCryptoServiceProvider
Dim ms As MemoryStream = New MemoryStream
Dim cs As CryptoStream = New CryptoStream(ms,
cryptoProvider.CreateEncryptor(key, iv), CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)
sw.Write(plainText)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()
'convert back to a string
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End Function

'################################################# #################
' Decrypt
' - Decrypts a plaintext string
'################################################# #################
Public Shared Function Decrypt(ByVal encodedText As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = New
TripleDESCryptoServiceProvider
'convert from string to byte array
Dim buffer As Byte() = Convert.FromBase64String(encodedText)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = New CryptoStream(ms,
cryptoProvider.CreateDecryptor(key, iv), CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)
Return sr.ReadToEnd()
End Function

End Class








--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm






Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------
Reply-To: "Chris Fink" <ch***@chrisfink.com>
From: "Chris Fink" <ch***@chrisfink.com>
Subject: Web.config
Date: Fri, 11 Jul 2003 11:55:43 -0400
Lines: 9
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#w**************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 130.decisionone.com 192.204.130.200
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:158568
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Should the web.config file be included in my deployment, IE physically
located in the web app's virtual directory on a release? It makes me
nervous having my DB conn string, etc in a ASCII file so available. I am
hoping the answer is "it gets compiled, and is placed in the
\bin\myproject.dll file"

Chris


Nov 17 '05 #2
Or you can use a tool like this one (or roll out your own as Charlie
suggested): http://www.obviex.com/cipherlite/. However, be aware of the risk
of embedding the key in your application source code.

Alek

"Charlie Nilsson [MSFT]" <Ch********************@hotmail.com> wrote in
message news:Sy**************@cpmsftngxa06.phx.gbl...

The web.config file is human readable, and not encoded - meaning, yes, if
you are concerned with security, you should encrypt (or store elsewhere)
sensitive data like connection strings. The web.config file is a means of
altering the state of an application while it's running, without shutting
down services.

One solution is to encrypt the connection string (or any sensitive data)
using the available crypto classes in the security assembly. Then you can
decrypt the connection string when it's needed by the application. I'll
paste some sample code for this below.
Charlie Nilsson [msft]
Visual Studio Update
'################################################# #################
' Sample encryption code in VB
'################################################# #################
Imports System
Imports System.IO
Imports System.Security.Cryptography
Imports System.Text

Public Class MyCryptoClass

'private key - enter random numbers here
Private Shared key() As Byte = {12, 52, 53, 124, 33, 36, 77, 48, 29, 50,
111, 112, 213, 14, 135, 116, 167, 198, 109, 200, 211, 29, 33, 35}
'init vector
Private Shared iv() As Byte = {12, 125, 37, 140, 65, 56, 76, 18, 99, 107,
122, 123, 153, 114, 159, 196, 179, 198, 192, 220, 212, 123, 33, 54}

'################################################# #################
' Encrypt
' - Encrypts a plaintext string
'################################################# #################
Public Shared Function Encrypt(ByVal plainText As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = New
TripleDESCryptoServiceProvider
Dim ms As MemoryStream = New MemoryStream
Dim cs As CryptoStream = New CryptoStream(ms,
cryptoProvider.CreateEncryptor(key, iv), CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)
sw.Write(plainText)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()
'convert back to a string
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End Function

'################################################# #################
' Decrypt
' - Decrypts a plaintext string
'################################################# #################
Public Shared Function Decrypt(ByVal encodedText As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = New
TripleDESCryptoServiceProvider
'convert from string to byte array
Dim buffer As Byte() = Convert.FromBase64String(encodedText)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = New CryptoStream(ms,
cryptoProvider.CreateDecryptor(key, iv), CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)
Return sr.ReadToEnd()
End Function

End Class








--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm






Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------
Reply-To: "Chris Fink" <ch***@chrisfink.com>
From: "Chris Fink" <ch***@chrisfink.com>
Subject: Web.config
Date: Fri, 11 Jul 2003 11:55:43 -0400
Lines: 9
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#w**************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 130.decisionone.com 192.204.130.200
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:158568 X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Should the web.config file be included in my deployment, IE physically
located in the web app's virtual directory on a release? It makes me
nervous having my DB conn string, etc in a ASCII file so available. I am
hoping the answer is "it gets compiled, and is placed in the
\bin\myproject.dll file"

Chris

Nov 17 '05 #3
It must be included, in it's raw form.

However, IIS won't allow browsing the file- it's specifically DISALLOWED -
so no exposure there.
As far as local access, set Windows security for only the internal IIS user,
developers group etc to have access, and you should be OK.

"Chris Fink" <ch***@chrisfink.com> wrote in message
news:#w**************@TK2MSFTNGP10.phx.gbl...
Should the web.config file be included in my deployment, IE physically
located in the web app's virtual directory on a release? It makes me
nervous having my DB conn string, etc in a ASCII file so available. I am
hoping the answer is "it gets compiled, and is placed in the
\bin\myproject.dll file"

Chris

Nov 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

13
by: Maxim Khesin | last post by:
I want to have a config file with my python proggie, satisfying the following requirements: 1) support key->(value, default) 2) simple and intuitive to read and edit 3) easyly readable into a...
4
by: Fuzzyman | last post by:
There have been a couple of config file 'systems' announced recently, that focus on building more powerful and complex configuration files. ConfigObj is a module to enable you to much more *simply*...
3
by: Richard Lewis Haggard | last post by:
I have a test application that is calling an assembly that reads some strings out of a config file. Normally, this assembly supports a web application and the information can be read just fine....
13
by: Khodr | last post by:
Hello, I am using VS.NET 2003 and vb. I build my application MyApp and it generates MyApp.exe.config. So now MyApp.exe reads parameters from MyApp.exe.config. Great and no problem! I need to...
20
by: tomerfiliba | last post by:
hey i've been seeing lots of config-file-readers for python. be it ConfigObj (http://www.voidspace.org.uk/python/configobj.html) or the like. seems like a trend to me. i came to this conclusion...
11
by: TARUN | last post by:
Hello All I need to ask about the configuration file in .NET, There are Two config File 1. Web Config 2. Machine config I understand the the usage of Web config , but not able to understand...
12
by: dbuchanan | last post by:
Hello, (Is this the proper newsgroup?) === Background === I am building a solution with two projects. One project is my data access layer which contains my DataSet as an xsd file. The XSD...
5
by: mmcd79 | last post by:
I built a VB.net application that makes use of a machine level DB connection string setting, and a user level starting location setting. The machine level setting and the default user based...
10
by: eagle | last post by:
I have a web.config in my application that contains the connection strings to all my datasources. I want to move these connection strings to another web config up the folder hierarchy so that all...
5
by: =?Utf-8?B?SmVycnkgQw==?= | last post by:
I have a app that uses several membership/role providers. I can list these Providers with the code: Dim rootWebConfig1 As Configuration rootWebConfig1 =...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.