Monday, December 31, 2012

IIS 6.x - Encrypt Web.Config

Steps for IIS 6.x to encrypt web.config
  1. Create a custom RSA key container (MyKeys can be replaced with any name).
    • Open a CMD prompt
    • Navigate to: c:\windows\microsoft.net\framework\v2.0
    • Run the following command:
      • aspnet_regiis.exe -pc "MyKeys" -exp
    • Hit the ENTER key
  2. Find out what the identity of your ASP.NET application is running as.
    • Open Notepad
    • Paste in the following:
      • <%@ Page Language="C#" %> 
      <% 
      Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); 
      %>


    • Save the file as "identity.aspx" somewhere within your website where you can access from a browser
    • Access this identity.aspx file from a browser.  Make note of the account it displays to you
  3. Grant the identity access to the RSA key container (created in Step 1).
    • Open a CMD prompt (if not already opened)
    • Navigate to: c:\windows\microsoft.net\framework\v2.0
    • Run the following command:
      • aspnet_regiis.exe -pa "MyKeys" "NameOfASP.NETaccountReturnedAbove"
    • Hit the ENTER key
  4. Specify an instance of a Protected Configuration provider in the web.config.
    • Open your web.config in Notepad or some other editor.
    • Make sure you have a <connectionStrings> section in your <configuration> section.
    • Add a <configProtectedData> section.  "MyProvider" can be replaced with any name.
      • Example:
        <configuration>
   <configProtectedData>
      <providers>
         <add name="MyProvider"
              type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
                    processorArchitecture=MSIL"
              keyContainerName="MyKeys" 
              useMachineContainer="true" />
      </providers>
   </configProtectedData>
 
   <connectionStrings>
      <add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
   </connectionStrings>
</configuration>
  1. Encrypt the actual web.config.
    • Open a CMD prompt (if not already opened)
    • Navigate to: c:\windows\microsoft.net\framework\v2.0
    • Run the following command.  "MyApplication" should be replaced with your actual .NET application name:
      • aspnet_regiis.exe -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
      • Or if using a UNC path:
      • aspnet_regiis.exe -pe "connectionStrings" "\\path\path\to\.net\directory -prov "MyProvider"
More information from Microsoft.

Created:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)