Is Encrypting Your Web.config A Waste Of Time?
In my last blog post I wrote about a utility has created to make it easier to encrypt web.config files hoping it would encourage more developers to protect their data. If you’ve ever tried doing it manually before, it isn’t really a very convenient process.
Additionally, I posted the blog entry on CodeProject — and received rather interesting response.
This article is pointless.
– Quote any high security site that uses an encrypted config file!
– If somebody has physical access to your config file/web server, you are as well doomed
Really? Is encrypting your web.config pointless. I don’t think so. In fact, I replied back with the following.
Encrypting a web.config file isn’t to defend against your server being compromised, but even if it were then I don’t think you understand exactly how aspnet_regiis works. The keys are written and locked down so that only members of the Administrators group can even read it, any lesser privileged accounts still can’t decrypt your web.config. Since typically website worker processes are running as NETWORK SERVICE, then unless you did something REALLY silly, your web.config should still be safe.
Even though that isn’t bullet-proof security, think about this scenario — You’ve have some junior developer right out of college working on a project that allows people to go out and download documents off your web server. He wants to send back the file as a download so he writes the bytes to the response stream and makes a change to the content-disposition and viola – freshly served documents all with a nice and neat little download dialog box.
But if your developer left a tiny little bug in the app and it was possible to download “../web.config” — What would you prefer to be served up? Encrypted or unencrypted?
In my opinion, an encrypted web.config file is 100% better than no encryption at all. Logging onto the server and running aspnet_regiis was very inconvenient way to get this done – this tool was made just try and help people get it done without needing to invest a lot of time into it.
But this really got me wondering, is this really a common opinion in the development community? Is encrypting your web.config really a waste of time? I don’t really think that encrypting your web.config file is the solution to all your problems – but it is some really cheap insurance that you can take out on sensitive file.
So what do you think? Is encrypting a web.config worth the time?
Hugoware 
Encrypting configs in enterprise applications is definitely worth the time. Many companies allow contractors access to source code repositories that contain unencrypted configs that contain credentials which can be used to gain access to sensitive information. I have seen implementations where credentials were available to hundreds of developers that could give any one of them access to thousands of credit card details. There’s no excuse. Your tool makes it easy for even lazy administrators to up their game. Nice work!
Rob Thijssen
July 22, 2009 at 5:38 am
Rob that is an excellent point about contractors. Just because they didn’t ‘hack into your server’ doesn’t mean they won’t want to snoop around.
webdev_hb
July 22, 2009 at 6:24 am
[…] was reading a blog today (https://somewebguy.wordpress.com/2009/07/20/is-encrypting-your-web-config-a-waste-of-time/) about both how to encrypt your appsettings/connectionstrings etc. using the aspnet_regiis […]
Is encrypting web.config pointless? - Programming Tutorial
January 2, 2022 at 2:41 am