Introduction :
Connection strings contain sensitive resource access credentials such as user names, passwords and server names. Connection strings stored in plaintext are dangerous, because an attacker that can compromise a server will be able to read those connection strings. Even if a machine is not compromised, connection strings stored in plain text are accessible to administrators and any other users with sufficient privileges on the host machine and/or Windows domain.
How to do this everything….!?!
1. Choose the appropriate configuration provider. Under most circumstances DPAPI will suffice, although the RSA protected configuration is the logical choice in web farms where multiple servers are employed.
2. Identify the configuration sections to be encrypted. Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of the configuration file that store sensitive data. Encrypt the <connectionStrings> element of the Web.config file to protect the database connection string.
3. Choose the machine or user store. The DataProtectionConfigurationProvider supports machine-level and user-level stores for key storage. The choice of store depends largely on whether or not the application shares a server with other applications and whether or not sensitive data must be kept private for each application.
Machine Store
By default, the DataProtectionConfigurationProvider is configured to use DPAPI with the machine store. Use machine-level key storage in the following situations:
The application runs on its own dedicated server with no other applications.
Multiple applications run on the same server and those applications need to be able to share sensitive information.
To encrypt the connectionStrings section with the Machine Store, run the following command from a .NET command prompt:
aspnet_regiis -pe “connectionStrings” -app “/MachineDPAPI” -prov “DataProtectionConfigurationProvider”
User Store
Use user-level key storage if the application runs in a shared hosting environment and the application’s sensitive data should not be accessible to other applications on the server. In this situation, each application should run under a separate identity, and the resources for the application—such as files and databases—should be restricted to that identity.
To encrypt the connectionStrings section with the User Store, run the following command from a .NET command prompt:
aspnet_regiis -pe “connectionStrings” -app “/UserDPAPI” -prov “MyUserDataProtectionConfigurationProvider”
4.Encrypt the configuration file data.
For those who using IIS
aspnet_regiis -pe “connectionStrings” -app “/MachineDPAPI” -prov “DataProtectionConfigurationProvider”
For those who using physical path.
aspnet_regiis.exe -pef “connectionStrings” C:\Projects\MachineDPAPI -prov “DataProtectionConfigurationProvider”
Note : Encrypting connection strings with Aspnet_regiis does not change the code required to access the string because the decryption occurs automatically.so no need to include any further logic…!!!?
