How to secure Connection Strings

Secure your Connection String

If you have a website in a Shared web hosting service you should be worried about that the website maybe get hacked. Here what really happens is a user makes a HTTP request, your web application processes the request including connecting to the database, and returns the result to the user . Sending the connectionstring over HTTP will be just as plain text.

Encrypt or Decrypt Connection Strings in a web.config file

The connection string in the Web.config file contains sensitive information of database such as connectionstring parameters. To avoid these problems you can improve the security of sensitive information stored in a connection string by using built in protected configuration model functionality to encrypt or decrypt few sections of a web.config file .

How to encrypting the connection string in ASP.NET ?

You can encrypt the connectionstring section of a web.config file by using aspnet_regiis.exe command line tool, so it is never stored as plain text. This file is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder and you can use with -pef option. Consider you have an application named as MyWebApp. You can encrypt the connectionStrings section of the Web.config file by using aspnet_regiis.exe as follows :

aspnet_regiis.exe -pef "connectionStrings" "/MyWebApp"

-pef indicates that the application is built as File System website and second argument connectionStrings indicates the name of configuration section needs to be encrypted and the third argument is the physical path where the web.config file is located.

If you are using IIS based web application the command will be,

aspnet_regiis.exe -pe "connectionStrings" -app "/MyWebApp"

The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.

The -app option, passing it the name of your application.

After running the tool successfully .. you will receive a message "Encrypting configuration section...Succeeded!"

How to decrypt the connection string in ASP.NET ?

When you want to decrypt the encrypted Web.config file, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider.






Related Topics
  1. Asp.Net Interview Questions (Part-1)
  2. Asp.Net Interview Questions (Part-2)
  3. Advantages of ASP.NET Web Development
  4. What is IIS - Internet Information Server
  5. What is Virtual Directory
  6. What is HttpHandler
  7. Page Directives in Asp.Net
  8. What is a postback
  9. What is IsPostBack
  10. What is global.asax
  11. Difference between Machine.config and web.config
  12. Difference between HTML control and Web Server control
  13. What is Query String
  14. Difference between Authentication and Authorization
  15. What is ASP.Net tracing
  16. Passing values between Asp.Net pages
  17. Differentiate between client side validation and server side validation
  18. How to Get host domain from URL
  19. Adding a Favicon To Your Website
  20. Asp.Net Textbox value in Javascript
  21. AutoEventWireup attribute in ASP.NET
  22. Can I use multiple programming languages in a ASP.net Web Application?
  23. Difference: Response.Write and Response.Output.Write
  24. How many web.config files can I have in an application?
  25. What is Protected Configuration in asp.net?
  26. Static variables, what is their life span?
  27. Difference between ASP Session and ASP.NET Session?
  28. What does mean Stateless?
  29. What is the Difference between session and caching?
  30. What are different types of caching using cache object of ASP.NET?
  31. Which method is used to remove the cache object?
  32. How many types of Cookies are available in ASP.NET?
  33. What is Page Life Cycle in ASP.net?
  34. What is the code behind and Inline Code in Asp.Net?
  35. What is master page in ASP.NET?
  36. Can you change a Master Page dynamically at runtime?
  37. What is cross-page posting in ASP.NET?
  38. How to redirect a page in asp.net without performing a round trip ?
  39. How to register custom server control on ASP.NET page?
  40. How do you validate Input data in Asp.Net?
  41. What's the difference between ViewData and ViewBag?
  42. Difference between Response.Redirect and Server.Transfer
  43. What is the function of the CustomValidator control?
  44. Define RequiredFieldValidator?
  45. Difference between custom control and user control
  46. Difference between Label and Literal control in ASP.Net
  47. What are the major events in Global.Asax file?
  48. What is Event Bubbling in asp.net ?
  49. What is Delay signing?
  50. What is the difference between in-proc and out-of-proc?
  51. What is the difference between POST and GET?
  52. A potentially dangerous Request.Form value was detected from the client