Encrypt Your Web.config, Please
If you follow me on Twitter you may notice me talk about #BadVendor from time to time. Actually, they were recently upgraded to #EpicFailVendor when I discovered they weren’t cleaning strings before passing them into SQL queries. Needless to say, everyday has been a little more shocking than the next.
For the most part all of these systems are things I can’t make changes to — either it’s compiled code or I just don’t have the authority to go in and make the fixes, but there is something that I can do — encrypt their web.config files.
Making Encrypting Easier
Encrypting normally involves logging onto the server in question, locating a few mildly obscure pieces of information and then running aspnet_regiis. It’s not that hard but it isn’t point and click easy as well.
I wanted to make it easier to update these files without needing to locate all the information each time so I wrote a little application to make the whole process a bit easier. The utility uses credentials you supply to log into your servers via WMI and locate the required information and then encrypt your files without needing to pull up a command prompt.
I’m not really a WinForms guy and WMI is certainly not my specialty, but this program came together pretty quickly and seems to be fairly decent. It’s certainly not bug free and could use a round of refactoring to make it nicer, so any feedback is appreciated.
How It Works
The first step is to provide your credentials to the server you want to log into. If you choose to run the tool on the actual server itself then you can leave all those fields blank (since WMI won’t use them for local connections anyways). If you aren’t an admin for that server or at least and account with some elevated credentials then this may not work for you.
Once you successfully connect to the server, a list of the sites on the server will be loaded along with any virtual directories (since they could potentially contain a web.config file). At this point you can simply browse around and find the web.config you’re wanting to encrypt.
It’s worth noting that if there aren’t any web.config (that name specifically) found inside the directory then it won’t be listed. If you happened to have something named web.temp.config then it won’t show up on this list.
At this point the program is going to do a little painful WMI magic and connect out to your server and load the web.config file into the view. The config file will be parsed and all the root nodes will be listed as available to be encrypted.
There are apparently some rules about what can or cannot be encrypted, so if the actual aspnet_regiis call fails, you’ll just end up with the same file as before, but you don’t get an explicit message as to why (still trying to find out how I can access messages like that in a semi-reliable WMI fashion).
There isn’t much configuration for this application. The default settings are used to perform the encryption and decryption of the web.config files, so if you are wanting to add some features on you are more than welcome to add them in. I’d love to hear about your changes so I can add them to this version.
It’s not hard to encrypt your web.config files and keep your sensitive information safe. The command line tool aspnet_regiis offers a lot of great functions to further protect your data. Hopefully, this tool allows you to get your work done even faster.
Now if you’ll excuse me, I need to share this tool with #EpicFailVendor. I dunno about the rest of you you but enough is enough! I’ve had it with these monkey fighting vendors not encrypting their their Monday to Friday web.configs!
Mandatory Disclaimer: This program is certified as ‘Works On My Machine’ – The author makes no warranties about how it might behave in your environment (but most likely you have nothing to worry about).
Downloads
Download Nkrypt.exe (Web.config Encryption Tool)
Download Nkrypt.zip (Source Code)
.
After posting this article I got an interesting response from another person that web.config encryption is ‘pointless’ — I thought it was interesting enough to do a follow up blog post about it.
Hugoware 
Encrypt Your Web.config, Please « Yet Another WebDev Blog…
Thank you for submitting this cool story – Trackback from DotNetShoutout…
DotNetShoutout
July 16, 2009 at 6:24 am
[…] the Web to Move On The Game Crafter – Your game REALIZED – Home Fair Use Evaluator Encrypt Your Web.config, Please Yet Another WebDev Blog How to Recharge the Air Conditioner in a Car – wikiHow Software Updates: Courgette […]
All Teched Up « Caintech.co.uk
July 16, 2009 at 5:56 pm
[…] Encrypt Your Web.config, Please – ‘Yet Another WebDev Blog’ shares a neat utility which makes it much easier to encrypt your web.config files […]
Reflective Perspective - Chris Alcock » The Morning Brew #392
July 17, 2009 at 2:41 am
[…] Encrypt Your Web.config, Please « Yet Another WebDev Blog […]
Daily Links for Friday, July 17th, 2009
July 17, 2009 at 6:41 am
[…] Encrypt Your Web.config, Please If you follow me on Twitter you may notice me talk about #BadVendor from time to time. Actually, they were recently […] […]
Top Posts « WordPress.com
July 17, 2009 at 7:20 pm
Network Solutions will not entertain the encryption of web.config. This is their response to a recent inquiry on encrypting web.config:
” It is not possible to encrypt the web.config file on our servers, but our servers are configured so that the web.config file is not viewable to Web users (i.e. http://www.domain.com/web.config will return an error message that the file is not accessible rather than showing the contents of the file.) ”
This singular view of the threat to web.config is extremely disappointing. It’s not like their servers haven’t been compromised at the file service layer. Just a few months ago they had such an incident, and people’s pages were being injected with js code. Netsol’s windows shared hosting is yet another testament to the old adage: if you want something done right, do it yourself.
levinoire
July 21, 2009 at 2:53 pm
That’s disappointing to hear. It’s too bad that even though they have been bitten once before they still choose not to offer more security options for their customers.
If its any consillation, at one point while working on this project I came across some code where someone had coded their web.config to be encrypted at runtime — very impressive.
Here is one example that I had found that might help you in your hosted situation.
http://geekswithblogs.net/afeng/archive/2006/12/10/100821.aspx
webdev_hb
July 21, 2009 at 3:05 pm
Thanks for the link — I will look into the code. Looks promising.
I don’t know how Network Solutions can still believe that the file system of their web servers are secure, given that they were hacked AGAIN!!! Here’s their explanation, as well as the link to their damage control page:
http://www.careandprotect.com/
“In the ordinary course of business, Network Solutions identified unauthorized code on servers supporting some of its ecommerce merchants’ websites. The code was promptly removed, and all of the ecommerce servers are functioning properly. No servers supporting Networksolutions.com customers were affected.
After conducting an analysis with the assistance of outside experts, it was determined that the code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. The code may have captured transaction data from approximately 573,928 cardholders for certain date periods this spring. Exposure varied by merchant, but in all cases it took place sometime between March 12, 2009 and June 8, 2009. Transactions after June 8, 2009 were not exposed to the unauthorized code. Law enforcement officials have been notified and we are working closely with them on the investigation.
At this point, we have no reports or other reasons to believe that any credit card account information has been misused. Under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely manner to the issuer.”
levinoire
July 25, 2009 at 11:21 pm
I forgot to add the link to the Washington Post story about Network Solutions getting hacked and 573,000+ credit/debit accounts being compromised:
http://voices.washingtonpost.com/securityfix/2009/07/network_solutions_hack_comprom.html?hpid=topnews
levinoire
July 25, 2009 at 11:34 pm
This isn’t entirely NetSol’s fault. The ASP.NET security infrastructure doesn’t exactly make this easy for shared hosters. Shared servers often run at partial trust and are heavily locked down. This means:
a) it isn’t possible to run your app on the server (no RDP access).
b) WMI will be locked down so no chance of doing this remotely.
You might say that you could do this programmatically on the site, but in a partial trust environment lots of things get in the way:
a) You need to be able to create your own key on the server. Then even if you could (or your hoster provided a way)….
b) ..calling ‘SectionInformation.ProtectSection’ on a section is futile because WebConfigurationManager.OpenWebConfiguration will throw a security exception when you try to read web.config (provided the shared server has been given the RegistryPermission in the partial trust policy for starters). This is because ‘OpenWebConfiguration ‘ does a read of the machine.config file under the bonnet and your impersonated IIS account has no read rights on this file.
So all in all it’s really MS that should be partly blamed because they haven’t made it easy.
Kev
August 26, 2009 at 5:26 pm
[…] a comment » After I released my web.config encryption utility I expected the world to transform into a Utopia of protected web.config files and happy developers. […]
Dude, For Real — Encrypt Your Web.Config « Yet Another WebDev Blog
July 22, 2009 at 10:16 pm
[…] Encrypt Your Web.config Please: A slick little tool to encrypt sections of your web.config file on your local or remote computers. Based on comments received he's posted a follow up question, and finally hammers his point home with a concrete example. […]
Weekly Web Nuggets #71 : Code Monkey Labs
July 27, 2009 at 9:02 am
I’m getting an error “Could not contact server ‘localhost'” on my XP machine, even though I’m running web sites on it.
Thanks for the app, and thanks for any help. And we do encrypt pieces of our web.config!
Michael
July 28, 2009 at 8:41 am
Are you running IIS on your XP box? Or are you using the development server included with Visual Studio?
webdev_hb
July 28, 2009 at 8:54 am
I’m running IIS.
Michael
July 28, 2009 at 10:10 pm
Forgot to mention, XP and SQL 2008.
Michael
July 30, 2009 at 10:44 am
Sorry, I meant .NET 3.5!
Michael
July 30, 2009 at 10:45 am
Hi,
I suppose I can use this to encrypt my webconfig which is on a shared hosting.
I am writing the information to connect ftp server. but not working.
Are I doing smt wrong or it doesnt work ? Please reply asap
ty
Elroy
February 16, 2010 at 1:29 pm
As far as I know you can’t encrypt a web.config file via FTP since you need to actually execute code on the server (since it write the keys to a separate directory)
I’ve read somewhere that you can write a page that encrypts your web.config for you but I haven’t done it myself so I couldn’t tell you much more than that. That seems like the only way you could encrypt a web.config in a hosted scenario
hugoware
February 16, 2010 at 1:49 pm
Doing encription is rubbish.
When we can decript key programmatically tell me how it will use full ?
If some one can get web.config file, he can decript as well.
haansi
May 4, 2010 at 2:39 am
Except the keys aren’t stored in the web.config – They are stored in a completely separate location (using different credentials if I remember correctly)
If someone has physical access to your server and full admin access, then you are correct that encryption is pointless.
However, if all they manage to do is download a copy of an encrypted web.config file then you are much better off than if they had grabbed one that was in clear text.
hugoware
May 4, 2010 at 8:33 am
I try to run your nkript tool on my local machine with windows xp IIS6. But the rool cannot contact to the localhost. I noticed that in your code, there is “root\MicrosoftIISv2”. Could be this one causes the problem?
Thanks
Anonymous
July 15, 2010 at 12:56 pm
I find that
scope = this._CreateWmiScope(@”root\MicrosoftIISv2″);
scope.Connect();
creates an error of invalid namespace
when connect to localhost
Anonymous
July 15, 2010 at 2:29 pm
Great find! Is there a better namespace to use?
hugoware
July 15, 2010 at 3:25 pm
what is the fix?
Anonymous
July 16, 2010 at 9:03 am
Hi,
I am trying to encrypt the web.config file on a web farm, how can i import the keys on the other server ?
Thanks
Shashi
August 5, 2010 at 11:07 am
fsdfsdf
asdf
December 9, 2010 at 4:25 am
please tell me how i can convert my connection string into encrypted code…tell me how i can do it
Chetan
December 9, 2010 at 4:26 am
[…] je ne m'inquiéterais pas tant que ça). Il y a plutôt un outil pratique pour ce maintenant au somewebguy.wordpress.com/2009/07/16/… Lien dans le commentaire ci-dessus mort; maintenant, dans le […]
asp.net - Stocker des chaînes de connexion dans la machine.config vs de les stocker dans le web.config
March 18, 2019 at 3:07 am