473,396 Members | 1,891 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > the value of web.config rsa encryption

Join Bytes to post your question to a community of 473,396 software developers and data experts.

The value of web.config RSA encryption

Hi,

In our production environment, we would like to protect our database
connection string against system administrators (they are admin on the web
server box)
I went through this article that describes options how to encrypt the
connection string section within the web.config:

http://msdn.microsoft.com/en-us/library/ms998283.aspx

The article explains that aspnet_regiis -pdf can easily decrypt the
web.config back to clear text situation. That means administrator can
decrypt all database connection strings. So there is not much point for
encrypting the web.config for us.

I wonder if there is any technique, so the decryption won't be easy (like
using a salt or secondary key that only web application knows)

Any help would be appreciated,
Max

Oct 22 '08 #1
3 2591
Hi Max,

Based on my experience it's impossible to protect the connection string
against system administrators. If we need ASP.NET to get the connection
string ASP.NET must know how to decrypt it. As we know, system
administrator has the highest privilege. If the ASP.NET account can know
the key to decrypt it the system admin can know that as well.

What I can suggest is, if you don't trust the administrators of the server
hosting your web site, you can host your web site yourself. If you have no
other choice maybe you can seek some legal advices.

Hope my suggestions can help and please let me know if you need further
assistance.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://support.microsoft.com/select/...tance&ln=en-us.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Max2006" <al*******@newsgroup.nospam>
| Subject: The value of web.config RSA encryption
| Date: Wed, 22 Oct 2008 12:18:43 -0400
| Lines: 1
| Message-ID: <09**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-PostID: {0902B0FB-5B0C-4C57-B472-0D309882E5FE}
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78371
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| In our production environment, we would like to protect our database
| connection string against system administrators (they are admin on the
web
| server box)
| I went through this article that describes options how to encrypt the
| connection string section within the web.config:
|
| http://msdn.microsoft.com/en-us/library/ms998283.aspx
|
| The article explains that aspnet_regiis -pdf can easily decrypt the
| web.config back to clear text situation. That means administrator can
| decrypt all database connection strings. So there is not much point for
| encrypting the web.config for us.
|
| I wonder if there is any technique, so the decryption won't be easy (like
| using a salt or secondary key that only web application knows)
|
| Any help would be appreciated,
| Max
|
|

Oct 23 '08 #2
Hi Max,

Have you got the expected answer?

Regards,
Allen Chen
Microsoft Online Support

--------------------
| From: "Max2006" <al*******@newsgroup.nospam>
| Subject: The value of web.config RSA encryption
| Date: Wed, 22 Oct 2008 12:18:43 -0400
| Lines: 1
| Message-ID: <09**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-PostID: {0902B0FB-5B0C-4C57-B472-0D309882E5FE}
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78371
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| In our production environment, we would like to protect our database
| connection string against system administrators (they are admin on the
web
| server box)
| I went through this article that describes options how to encrypt the
| connection string section within the web.config:
|
| http://msdn.microsoft.com/en-us/library/ms998283.aspx
|
| The article explains that aspnet_regiis -pdf can easily decrypt the
| web.config back to clear text situation. That means administrator can
| decrypt all database connection strings. So there is not much point for
| encrypting the web.config for us.
|
| I wonder if there is any technique, so the decryption won't be easy (like
| using a salt or secondary key that only web application knows)
|
| Any help would be appreciated,
| Max
|
|

Oct 27 '08 #3

Hi Allen, Yes I did. Thanks...Max
"Allen Chen [MSFT]" <v-******@online.microsoft.comwrote in message
news:1Q**************@TK2MSFTNGHUB02.phx.gbl...
Hi Max,

Have you got the expected answer?

Regards,
Allen Chen
Microsoft Online Support

--------------------
| From: "Max2006" <al*******@newsgroup.nospam>
| Subject: The value of web.config RSA encryption
| Date: Wed, 22 Oct 2008 12:18:43 -0400
| Lines: 1
| Message-ID: <09**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-PostID: {0902B0FB-5B0C-4C57-B472-0D309882E5FE}
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78371
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| In our production environment, we would like to protect our database
| connection string against system administrators (they are admin on the
web
| server box)
| I went through this article that describes options how to encrypt the
| connection string section within the web.config:
|
| http://msdn.microsoft.com/en-us/library/ms998283.aspx
|
| The article explains that aspnet_regiis -pdf can easily decrypt the
| web.config back to clear text situation. That means administrator can
| decrypt all database connection strings. So there is not much point for
| encrypting the web.config for us.
|
| I wonder if there is any technique, so the decryption won't be easy
(like
| using a salt or secondary key that only web application knows)
|
| Any help would be appreciated,
| Max
|
|
Oct 31 '08 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
Web.config and Passwords
by: Staffing | last post by:
Is there a better way to store data base passwords in web.config file rather then having them on clear Jay
ASP.NET
3
Passwords in web.config... is this secure?
by: John Buchmann | last post by:
In my web.config, I have a section that has a name and password: <credentials passwordFormat="Clear"> <user name="aaa" password="bbb" /> </credentials> Is this secure? What is to stop...
ASP.NET
2
Where to store config settings in Web Service
by: Chris Dunaway | last post by:
I have a web service that references a data class library which performs SQL Server access. Since the web service is also a class library, there is no App.Config, only Web.config. Is Web.Config...
ASP.NET
1
Using SQLServer Session State without connection string in web.config
by: Chris Snyder | last post by:
Hello all. I have a problem that is probably failry easy to solve, but I don't know where to look. (Or, really, what to look for.) My customer has a tool (written in .NET) that encrypts strings....
ASP.NET
14
Connection String in .config file - Security Concerns
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review,...
C# / C Sharp
3
Using a function instead of web.config to store connectionstring
by: Jim Andersen | last post by:
Hi, I would appreciate if someone could explain this behaviour, and maybe offer a better solution. I have been working with the GridView control. And SqlDataSource. It works great if I do:...
ASP.NET
4
identity impersonation definition in web.config
by: Saqib Ali | last post by:
I have some security concerns over storing a Active Directory username/ passwd in a text based web.config file for the identity impersonation definition. I know that web.conf is not accessible...
ASP.NET
2
Web.config Encryption
by: =?Utf-8?B?SmF6emE=?= | last post by:
Hi, I am an experienced .Net developer, but new to ASP.Net 2.0. I have been using the Personal Web Site Starter Kit and have successfully uploaded the site to a shared hosting provider. I am...
ASP.NET
2
??? Which Key Encrypts .Config Files ???
by: Tom Baxter | last post by:
Hi everyone, I have a small block of code that encrypts a database connection string in a ..config file, but I'm not sure where the encryption key comes from. There is no problem with this code...
C# / C Sharp
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!