Sunday, January 16, 2011

Securing your application's configuration data

Hi guys!
We all add our passwords, connection strings and etc in our config files. But how secure are they? I'll focus on Web Applications.

Basic security
Internet Information Services (IIS) - the most popular server for ASP.NET Applications is by default set to reject all requests to files with extensions .config. So, any file on your web server, named as *.config is safe and cannot be viewed.

Next steps
However, let's consider another scenario. What if we want to protect ourselves from everyone who actually have access to our web servers? We can use 3 approaches - it's only up to you to choose how to combine them:

1. Built-in web.config encryption - By default ASP.NET provides as with the functionality to encrypt the whole web.config or a configuration section in it. After we encrypt it the IIS server automatically decrypts it when starts reading the web.config file. Encrypting is simple and straightforward:

aspnet_regiis -pef ConfigurationSectionName

Example is explained here: http://odetocode.com/blogs/scott/archive/2006/01/08/encrypting-custom-configuration-sections.aspx

2. Custom encryption - In most cases, we're collaborating with other people when working on projects and our source is saved into a Source Control. If we want to hide some sensitive information, we can't actually check-in an encrypted config section, because we won't be able to change the settings there anymore.

What we can do now is implement a custom Encryption and Decryption algorithm. Then we'll be able to save an encrypted version of the password in the config file and decrypt it before we start using it. We use plenty of approaches for doing this - use standard algorithm like Rijndael or write a custom encryption/decryption function. Someone can still decrypt the password, but it's not in plain text anymore.

3. Operating System access control usage - We can go one step further - we can physically deny access to the configuration files for anyone except the Application Pool user of our Web Application. This way no one logged on the machine won't be able to see the contents of these files.

This security is useful, when there are people having access to the server - they can log in or browse it through network share. Restricting the permissions only to the Application Pool User will prevent everyone else from reading the contents of these files.

In Conclusion
Security is an important part of our applications. All ways to add security to your application in this article are quite simple. You can combine any set of them, until you're satisfied with the level of security or meet your project's security requirements.

You can leave a comment, if you have some additions to this list of security actions.