How To: Secure Connection Strings when Using Data Source Controls

When working with data source controls, you should centralize the location of your connection strings placing them within the application's Web.config file. The benefits of this are twofold: your data source controls might reference the connection string's name from the configuration file rather than include the connection string as a control property; and site administration is easier because management of connection strings is centralized, which eliminates the need to revisit individual pages if your connection string information changes.

In this topic you'll learn how to place your connection strings within the Web.config file using Visual Studio and a data source control, and how to use the command-line utility, Aspnet_regiis.exe, to encrypt those connection strings for an added layer of security.

How to add a connection string to Web.config with a data source control

  1. Open an .aspx page in Design View in Visual Studio.

  2. From the Toolbox, from the Data folder, drag a data source control, such as a SqlDataSource control, onto the design surface.

  3. Right-click the control, and click Show Smart Tag.

  4. In the smart tag panel, click Configure Data Source.

  5. In the Choose a Data Connection panel, click New Connection.

  6. Select an appropriate data source from the list on the Choose Data Source dialog box, and then click OK.

  7. Indicate the correct server name, user name, and password on the Add Connection dialog box, and then click OK.

    You are returned to the Configure Data Source dialog box with a summary of your connection details.

  8. Click Next, and then click Yes to save your connection string in the Web.config file.

    The connection string is now stored in the Web.config file, and you can configure the query details for your control.

To encrypt connection string information stored in the Web.config file

  1. At the Windows command line, run the ASP.NET IIS registration tool (Aspnet_regiis.exe) with the following options:

    • The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.

    • The -app option, passing it the name of your application.

    The Aspnet_regiis.exe tool is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder.

    The following code example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication.

    aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
    

    When the command has finished, you can view the contents of the Web.config file. The connectionStrings configuration section will contain encrypted information instead of a clear-text connection string, as shown in the following code example.

    <configuration>
       <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
          <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
             xmlns="http://www.w3.org/2001/04/xmlenc#">
             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                      <KeyName>RSA Key
                      </KeyName>
                   </KeyInfo>
                   <CipherData>
                      <CipherValue>WcFEbDX8VyLfAsVK8g6hZVAG1674ZFc1kWH0BoazgOwdBfinhcAmQmnIn0oHtZ5tO2EXGl+dyh10giEmO9NemH4YZk+iMIln+ItcEay9CGWMXSen9UQLpcQHQqMJErZiPK4qPZaRWwqckLqriCl9X8x9OE7jKIsO2Ibapwj+1Jo=
                      </CipherValue>
                   </CipherData>
                </EncryptedKey>
             </KeyInfo>
             <CipherData>
                <CipherValue>OpWQgQbq2wBZEGYAeV8WF82yz6q5WNFIj3rcuQ8gT0MP97aO9SHIZWwNggSEi2Ywi4oMaHX9p0NaJXG76aoMR9L/WasAxEwzQz3fexFgFSrGPful/5txSPTAGcqUb1PEBVlB9CA71UXIGVCPTiwF7zYDu8sSHhWa0fNXqVHHdLQYy1DfhXS3cO61vW5e/KYmKOGA4mjqT0VZaXgb9tVeGBDhjPh5ZlrLMNfYSozeJ+m2Lsm7hnF6VvFm3fFMXa6+h0JTHeCXBdmzg/vQb0u3oejSGzB4ly+V9O0T4Yxkwn9KVDW58PHOeRT2//3iZfJfWV2NZ4e6vj4Byjf81o3JVNgRjmm9hr9blVbbT3Q8/j5zJ+TElCn6zPHvnuB70iG2KPJXqAj2GBzBk6cHq+WNebOQNWIb7dTPumuZK0yW1XDZ5gkfBuqgn8hmosTE7mCvieP9rgATf6qgLgdA6zYyVV6WDjo1qbCV807lczxa3bF5KzKaVUSq5FS1SpdZKAE6/kkr0Ps++CE=
                </CipherValue>
             </CipherData>
          </EncryptedData>
       </connectionStrings>
    </configuration>
    

    Leave the command prompt open for later steps.

  2. Determine the user account or identity under which ASP.NET runs by retrieving the current WindowsIdentity name.

    The following code example shows one way to determine the WindowsIdentity name.

    <%@ Page Language="VB" %>
    <%
    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name)
    %>
    
    <%@ Page Language="C#" %>
    <%
    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    %>
    

    Note

    By default, on Windows Server 2003 with impersonation for an ASP.NET application disabled in the Web.config file, the identity under which the application runs is the NETWORK SERVICE account. On other versions of Windows, ASP.NET runs under the local ASPNET account.

    The user account or identity under which ASP.NET runs must have Read access to the encryption key used to encrypt and decrypt sections of the Web.config file. This procedure assumes that your Web site is configured with the default RsaProtectedConfigurationProvider specified in the Machine.config file named "RsaProtectedConfigurationProvider". The RSA key container used by the default RsaProtectedConfigurationProvider is named "NetFrameworkConfigurationKey".

  3. At the command prompt, run the Aspnet_regiis.exe tool with the following options:

    • The -pa option, passing it the name of the RSA key container for the default RsaProtectedConfigurationProvider.

    • The identity of your ASP.Net application, as determined in the preceding step.

    The following code example shows how to grant the NETWORK SERVICE account access to the machine-level "NetFrameworkConfigurationKey" RSA key container.

    aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
    
  4. To decrypt the encrypted Web.config file contents, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider. The appropriate provider is identified in the configProtectionProvider attribute for the protected section.

    The following code example shows how to decrypt the connectionStrings element of ASP.NET application SampleApplication.

    aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"
    

See Also

Other Resources

Encrypting Configuration Information Using Protected Configuration