Securing app.config / web.config

Hi all, I'm developing a web application with VS2005 and I've reached
the point where I have do deploy it to some servers and thus secure
sensible information stored in the web.config file ... you're right!
connectionstrings!!!

Well, I've tried aspnet_iisreg with RSA provider,and the public/
private key container and it's cool and it's transparent for the
developer... but I think that there is something that I'm missing
because if someone knows about aspnet_iisreg ... they can easily
decrypt my web config at the deploy server and watch contents. There
is an option when you export RSA keys to include only public keys, but
it would only allow to encrypt and not to decrypt.

What I really would like to know : if there is a way to secure data
inside a web.config or app.config as well, so decryption is only
available to the application itself?. I guess that the way must be to
keep that keys safeley somewhere somehow ... does VS2005 provide a
standard way to do that?

Thanks in advance for any kind of help.

Regards,
Pablo.

No - there is no way. If someone gets access to the server in a way that
he can execute commands - there cannot be a protection.

But executing commands on a server and viewing file contents remotely is
a totally different thing. The former is _much_ harder.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:

Hi all, I'm developing a web application with VS2005 and I've reached
the point where I have do deploy it to some servers and thus secure
sensible information stored in the web.config file ... you're right!
connectionstrings!!!

Well, I've tried aspnet_iisreg with RSA provider,and the public/
private key container and it's cool and it's transparent for the
developer... but I think that there is something that I'm missing
because if someone knows about aspnet_iisreg ... they can easily
decrypt my web config at the deploy server and watch contents. There
is an option when you export RSA keys to include only public keys, but
it would only allow to encrypt and not to decrypt.

What I really would like to know : if there is a way to secure data
inside a web.config or app.config as well, so decryption is only
available to the application itself?. I guess that the way must be to
keep that keys safeley somewhere somehow ... does VS2005 provide a
standard way to do that?

Thanks in advance for any kind of help.

Regards,
Pablo.