Last post Oct 15, 2013 04:21 AM by Ruchira
Oct 10, 2013 12:18 PM|rpfinnimore|LINK
In my web.config I have connection strings specifying database names, userids and passwords. I noticed that after publishing to the server I can go to the inetpub folder on the server open the web.config and can see the userid and password etc in plain
How should l go about encrypting the connection string information when publishing my site to the server? Am I right in thinking it would be common practice to do so?
If the question is dumbass please excuse I'm still a bit of a newbie...thanks in advance for any help, Roscoe
Oct 10, 2013 12:58 PM|smirnov|LINK
aspnet_regiis (from C:\Windows\Microsoft.NET\Framework\version) has few keys such as -pe, -pef to encrypt configuration sections. Using that tool you can encrypt the connectionStrings section in Web.config. Reed more at http://msdn.microsoft.com/en-us/library/ms998280.aspx
The tool has to be run directly on server and configuration will be overwritten if you publish solution once again after that. So, you either can run that tool once and do not use publish function (perform manual upload of updated files) or use the flow
You can also consider to use integration authentication, so your config will not have password and loginname, example:
connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
Oct 15, 2013 04:21 AM|Ruchira|LINK
smirnov has give you a good reply on how to encrypt the sections in the web.config file.
As a side note, keep in mind that web.config file is highly secured that you usually don't need to worry about users accessing it.
Please 'Mark as Answer' if this post helps you