How to secure connection strings in VS? - c#

I see several others have posted this question, however, none of the solutions I've tried have fixed this yet. I have a 32-bit XP running VS 2008 and I am trying to encrypt my connection string in my web.config file.
But I am getting the error:
The configuration section '...' was not found. Failed!
The command I give it:
C:\Program Files\Microsoft Visual Studio 9.0\VC>Aspnet_regiis.exe -pe "system.we
b/AdventureWorksConnectionString2" -app "/Documents and Settings/Admin/My Docume
nts/Visual Studio 2008/Projects/AddFileToSQL2"
Also, how does -app map virtual directory? In other words the path above is the directory right below c:. Is this the correct path to use? And AddFileToSQL2 is the name of my project, although it is part of the AddFileToSQL solution.
I have this folder web shared with all of the permissions.
And the relevant part of my web.config file:
<add name="AdventureWorksConnectionString2" connectionString="Data Source=SIDEKICK;Initial Catalog=AdventureWorks;Persist Security Info=true; User ID=AdventureWorks;Password=sqlMagic"
providerName="System.Data.SqlClient" />

With DPAPI, you can only encrypt whole sections as far as I know. Thus, you cannot encrypt just your one connection string but the entire connectionStrings section. Second the -app refers to the virtual path to the application on your IIS server in which it should find the given section and config file. Thus, if your site look like this:
root
/appFoo
And you wanted to encrypt the connection strings in /appFoo you would do
aspnet_regiis -pe "connectionStrings" -app "/appFoo"
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Related

Encrypt .NET Web.config file for specific environment

I just learned the command to encrypt a connection string in my Web.config file.
aspnet_regiis -pe "connectionStrings" "/MyApp"
This command does encrypt Web.config. However, In my app I have a Web.config file for several environments: Web.test.config, Web.production.config, etc. Is it possible to specify which env/config file to encrypt? I tried:
aspnet_regiis -pe "connectionStrings" "/MyApp/Web.test.config"
But this did not work.
Don't use web.XXX.config because it has to be stored in your source code. You should be using environment variables (which you can still access via your existing code that reads web.config).
The environment variables can be defined on the server directly and this bypasses your problem, e.g. the production server has different connection string than UAT.

Visual Studio Online Build - web.config connection strings configSource

My project Web.config has connection strings defined in a separate file using the following construct:
<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>
This is handy when collaborating on a project or when deploying the project. However, I was unable to get the VSO Build working as it shows me the following error:
C:\Program Files
(x86)\MSBuild\14.0\bin\Microsoft.Common.CurrentVersion.targets (4105,
5) Could not copy the file
"C:\a\1\s\MyProject\ConnectionStrings.config" because it was not
found.
The connection string must be already defined in the web.config and the connection string name must be the same as the connection string name you set in Azure. Then the connection string can be updated by Azure. Refer to the description from Azure:
Connection strings work in a similar fashion, with a small additional
requirement. Remember from earlier that there is a connection string
called “example-config_db” that has been associated with the website.
If the website’s web.config file references the same connection string
in the configuration section, then Windows Azure
Web Sites will automatically update the connection string at runtime
using the value shown in the portal.
However, if Windows Azure Web Sites cannot find a connection string
with a matching name from the web.config, then the connection string
entered in the portal will only be available as an environment
variable (as shown earlier).
And
Remember though that for Windows Azure Web Sites to override a
connection string and materialize it in the .NET Framework’s
connection string configuration collection, the connection string must
already be defined in the web.config. For this example website, the
web.config has been updated as shown below:
For more information, please see this link: https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
I know you already mark your question answered but I think I should post my solution here for anyone's having same issue.
I create a transformation for the connectionStrings section in other environment with a dummy connectionstring value like this:
<connectionStrings xdt:Transform="Replace">
<add name="Your_ConnectionString_Name" connectionString="dummy_value"
providerName="System.Data.SqlClient" />
</connectionStrings>
so that I can keep the configSource attribute in my local machine and when I deploy to other environments, I have some dummy connectionstring for Azure to replace.

setup and deployment with database

I want to create an exe of my c# windows application project. I created the exe. But my problem is that I don't know how to include database with this exe. Because now am taking backup of my database and restore this backup to the system in which I want to install my exe. Database is created in sql server2012.
In my c# code connection string set to my system server name. so if I want to install it in another system, I need to change this connection string as server name of the system in which I want to install my exe. But it is not possible in all the time. so is there any method to done all these without changing in the code? I Created the exe using install shield.
Thanks.
Normally database settings should be configurable i.e. the user sets the settings through the application UI which are then written into a configuration file. If you give the settings through a configuration file with hardcoding, the exe need not be built everytime.
For getting the existing database, your application should be coded to create a blank database if the database in the server doesn't exist. The existing data can be imported through Administrator mode od your application or manually done in the SQL Server.
The following code shows how you can store connection strings in App.config file.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<connectionStrings>
<add name="MyDBConnectionString" providerName="System.Data.SqlClient"
connectionString="Data Source=localhost;Initial Catalog=MySQLServerDB; Integrated Security=true" />
</connectionStrings>
</configuration>
Once you have saved your connection string in App.config file you can use System.Configuration.ConfigurationManager class to read this connection string in code.
ConnectionStringSettings conSettings = ConfigurationManager.ConnectionStrings["MyDBConnectionString"];
ConnectionStringsSettings class provides properties to read connection string settings in your program as following code shows.
string name = conSettings.Name;
string providerName = conSettings.ProviderName;
string connectionString = conSettings.ConnectionString;
The above code has been taken from this link
For a detailed example check this article on CodeProject

Encrypting a web.config file and supplying the path to the file

I am encrypying my .NET config file using this command and it works just fine:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
For this to work though I have to have a virtual directory called SampleApplication pointing to the folder my web.config file is under.
Is there a way to just specify the path to the file and not have to have a virtual dir?
I tried with
aspnet_regiis -pe "connectionStrings" -location "c:\FoldercontainingWebConfigFile"
but i get the error: " path attribute must be a relative virtual path". And cannot contain any of ":" "\" etc...
I am looking here:
http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.80%29.aspx
Is there any way to do this?
I got it with!
-pef "sectionName" "full path to directory containing web.config file"
Have a look at this tool - it loads all your IIS sites and vdirs, and lets you pick the file (and section) you want to encrypt/decrypt.

Encryption / Decryption of app.config sections using RsaProtectedConfigurationProvider

During the installation of our program we run this method to encrpyt sections of the app.config:
// Get the application configuration file.
Configuration config =
ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Define the Rsa provider name.
const string provider = "RsaProtectedConfigurationProvider";
// Get the section to protect.
ConfigurationSection connStrings = config.ConnectionStrings;
if (connStrings != null)
{
if (!connStrings.SectionInformation.IsProtected)
{
if (!connStrings.ElementInformation.IsLocked)
{
// Protect the section.
connStrings.SectionInformation.ProtectSection(provider);
connStrings.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
}
Works fine so far. But if I run this program, we encounter of several machines the following error "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened".
Of course I searched and found this help, but this doesn't work. Any ideas?
I ran into similar issues while debugging within Visual Studio 2010 on Win 7 with UAC set to it's default protection.
In order for me to get around this issue, I had to run Visual Studio as the Administrator ("Run as Administrator").
I had the same issue with trying to run the aspnet_regiis.exe to encrypt the section of my web.config. If I didn't run the commandline/console "as Administrator" I would get a commandline error that was even more cryptic: "Object already exists."
Yes.
Reason is those machines working have RsaProtectedConfigurationProvider setup in their machine.config. Those not working, don't have it - just manually add it for those machines.
I imagine that's one of the steps aspnet_regiis.exe does. I can't imagine you want to run that on all client machines.
UPDATE
OK, I have made the main part of the error in bold in your question - you are right it is a different issue. It is a security issue. If you look at the location C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys or C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys depending the operating system, you see a number of files. Your process does have access to the folder so just give files access to the whole folder for the identity of the application or a particular file (timestamp will tell you if you have created it).
I got this on an app.config that was running on a Windows Server set up as a SQL Server. It did not have IIS installed. The machine.config file listed RSAProtectedConfigurationProvider as the default, but when we looked in the two folders mentioned by Aliostad above the folders were empty.There were no keys installed. We used the aspnet_regiis tool to create a custom key. then we used it to grant access to the identity the batch job runs under. All of this was running cmd.exe and aspnet_regiis As Administrator.

Categories