According to my understanding, the encrypted section, like connectionStrings, in web.config is encrypted by RSA key and you can even assign different RSA key container for different web.config. I don't think it can be decripted directly with machine key.
Whatever files that the AppPool identity has access to, if your server is compromised the assumption is that now the attacker has [at least] the same level of access as the AppPool. This part of those instructions [Execute aspnet_regiis -pa
"SharedKeys" "NT AUTHORITY\NETWORK SERVICE" to grant access permission to ASP.NET web application.] implies that if the attacker has that level of access means that decryption could be possible.
Bottom line is that if you have a server that has been compromised, you cannot assume anything is secured.
Then use the command aspnet_regiis -pr "[KeyName]" "NT Authority\Network Service" to remove read access to that key. It's the web.config that is compromised, not the web server.
EDIT: nevermind, you do need read access to decrypt.
Pro Tip: make sure you are using the right AppPool identity when executing the aspnet_regiis commands.
Garf.Leonard
Member
6 Points
3 Posts
Re: Question: An encrypted web.config is not actually useful: True or False?
Sep 22, 2010 08:42 PM|LINK
Then use the command aspnet_regiis -pr "[KeyName]" "NT Authority\Network Service" to remove read access to that key. It's the web.config that is compromised, not the web server.EDIT: nevermind, you do need read access to decrypt.
Pro Tip: make sure you are using the right AppPool identity when executing the aspnet_regiis commands.