Provided you follow the instructions detailed in Scott's post, you will be protected, HOWEVER as an additional level of security, you should also consider moving your database connections to trusted connections (if possible). Failing that, use Protected
Sections in your web.config and encrypt the connectionStrings element, and machineKey element.
jangwenyi
0 Points
1 Post
What if some sections of the web.config file are encrypted
Sep 18, 2010 11:53 AM|LINK
Should I worry if I have encrypted sensitive sections of my web.config file, like the database connection strings?
oracle padding
I try and update my blog with new developments in software development. Check it out at:
http://karpcom.blogspot.com
mbanavige
All-Star
134971 Points
15423 Posts
ASPInsiders
Moderator
MVP
Re: What if some sections of the web.config file are encrypted
Sep 18, 2010 12:11 PM|LINK
If you have implemented the custom errors page indicated in the advisory and in scott gu's blog article here
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Then the padding oracle attack would not work against your site.
neurich
Member
166 Points
43 Posts
Re: What if some sections of the web.config file are encrypted
Sep 18, 2010 03:07 PM|LINK
Provided you follow the instructions detailed in Scott's post, you will be protected, HOWEVER as an additional level of security, you should also consider moving your database connections to trusted connections (if possible). Failing that, use Protected Sections in your web.config and encrypt the connectionStrings element, and machineKey element.
More details here:
http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
Cheers,
Rich