Secure your web.config by encryption
In this article i am explained How to encrypt web.config with RSA encryption standard.
Many times Impersonation tags are easily chop due to plain text in web.config but we can make it secure with encrption standard.
Secure your web.config by encrypting important tags
Introduction
Welcome again to a new security article, where we will discuss and demonstrate how to secure our web.config important tags, like Impersonation.
it's username and password.
in this article we will see how to secure Impersonate tags in web.config ?What is impersonation ?
Before securing impersonation tags in web.config, we will see what is impersonation.
Basically impersonation is fall under Authorization concept, Authorization is the process of determining the rights of the authenticated user
Impersonation is the technique in which the logged user behave like an authenticated entity. Infact, the Impersonation is not enabled initially but
We can set the impersonation in web.config file
In web.config we can set impersonation tags under
[System.WEB]
[identity impersonate="true" userName="Administrator" password="PASS"/]
[/System.WEB]
here is web.configHow to secure Web.Config?
Now the problem comes when i impersonate web.config and if anyone open my web.config with Plain text, Then one can easily
see my password as it's in a plain text. and can hack my user account.
I have seen lot of web.config with plain text impersonation tags.
we can secure web.config tags with encryption standards.
here we are using RSA data encryption standard.
To encrypt a web.config tags, follow following process
1. Go to server where you have deployed your web application
2. Open Command Prompt, and navigate to Framework folder in windows folder.
3.Now fire the below command to make web.config Tag encrypted., The command is
aspnet_Regiis -pef system.web/identity [Physical Path of website]
here ,
aspnet_regiis: is a executable configuration file which will help IIS and ASP.NET to configure different configuration settings.
-pef: Encrypt given web.config key
system.web/identity: Tag in web.config to which we want to apply encryption
4. After typing given command in command prompt hit enter. System will execute given command and encrypt
data successfully
5. After opening given web.config file you can see that, your web.config is encrypted now.
6. Here we have encrypt web.config using RSA encryption standard. all encrypted keys are stored at RSA folder where RSA folder exist in
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto
7. To write a encrypted key we have write access to this folder so we can provide some access to given folder, by executing following command
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
-pa: Give access to particular access RSA key
NetFrameworkConfigurationKey configuration key name
NT Authority\Network Service: User/group name to which we have to give access to folder
8. Now we can browse the site and can check, is it running properly or not.How to Decrypt Web.Config?
you can decrypt web.config file which is already encrypted. here is the command
aspnet_Regiis -pdf system.web/identity [Physical Path of website]
aspnet_regiis: is a executable configuration file which will help IIS and ASP.NET to configure different configuration settings.
-pdf: Decrypt given web.config key
system.web/identity: Tag in web.config to which we want decryption
Likewise we can encrypt any section in web.config by the help of above encryption command and Configuration executable file.
we will learn more about ASPNET_REGIIS.EXE in my upcoming article.
Thanks
Thanks for giving your valuable time for this article,
Suggestion are most welcome.
Thanks
koolprasad2003