Microsoft ASP.NET Coding Strategies with the Microsoft ASP.NET Team (Pro-Developer)

Storing commonly used data within configuration is exactly what configuration is designed for. For example, the settings necessary to support out-of-process Session state, such as the connection string, are stored within configuration. Your own application resources, such as connection strings, are also recommended for .config storage. As you know, configuration provides a central, easy- to-manage repository for this type of information. However, this data storage is not secured by default. If the system were compromised, system information could be taken from the configuration file. Fortunately, by default, the .CONFIG extension is blocked, so you can’t simply download someone’s web.config!

Version 1.1 of ASP.NET introduced a new capability that allows for the encryption of some part of configuration, such as <processModel /> and <sessionState />, that can potentially contain data to be secured. (Knowledge base article 329290 has more extensive and recent details.) Support for secure storage of connection strings and other configuration data is a planned addition for ASP.NET 2.0.

Encrypting Data

Information stored in the following configuration sections can be encrypted and stored securely in the registry:

To enable this encryption capability, you first need to download a special tool, aspnet_setreg.exe, from http://download.microsoft.com/download/2/9/8/29829651-e0f0-412e-92d0-e79da46fd7a5/Aspnet_setreg.exe. After you download this file, extract it, and store it in the following version-specific directory, which also contains other ASP.NET-related command-line utilities, for example, C:\Windows\Microsoft.NET\Framework\v1.1.4322\. Visit the following site for instructions about how to use this tool: http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b329290.

Категории