Like, uh, whatever, I guess


  Wednesday, May 05, 2004
    [3:39:27 PM]

ASP.NET: Encryping credentials and connection strings

Several people have mentioned lately that they were concerned that their user credentials for DasBlog were stored in plain text in an xml configuration file on the web server. The standard response to that, at least on GotDotNet, is that if your webserver is compromised, then your blog is also compromised (tough luck).

While that is true, the problem I have is that in a corporate environment, all sorts of people have access to web servers: system administrators, systems support etc., but they don't necessarily have access to other resources. Other resources in particular being databases, but the ability to add/edit someones blog is also undesirable.

With that in mind, it may be worth looking at this Microsoft Knowledgebase article (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290), on how to encrypt the settings just described.

The article references a downloadable utility, Aspnet_setreg.exe, which basically encrypts the settings and stores them in the system registry. Those settings are then referenced from the configuration file by using the registry key and some other parameters (full details in the article).

Comments: Post a Comment

November 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004

This page is powered by Blogger. Isn't yours?  Weblog Commenting and Trackback by HaloScan.com