Avoid plain text passwords in configuration files

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

The <processModel>, <sessionState>, and <identity> elements in Machine.config and Web.config have userName and password attributes. Do not store these in plaintext. Store encrypted credentials in the registry using the Aspnet_setreg.exe tool.

For more information about encrypting credentials in configuration files and about Aspnet_setreg.exe, see Chapter 19, "Securing Your ASP.NET Application and Web Services." at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh19.asp

Note In ASP.NET 2.0, you can use the Protected Configuration feature to encrypt various configuration sections for protecting sensitive data. For more information on using the Protected Configuration feature in ASP.NET 2.0, see "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp and "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000006.asp

References

Personal tools