Difference between revisions of "Encrypting the web.config"

From
Jump to: navigation, search
(Created page with " == [[|<span style="font-size:12.0pt" lang="EN-US"><span style="line-height:115%">Completing the Process</span></span>]] == == <span style="font-size:10.0pt" lang="EN-US"><sp...")
 
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
  
== [[|<span style="font-size:12.0pt" lang="EN-US"><span style="line-height:115%">Completing the Process</span></span>]] ==
+
== Overview ==
  
== <span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">As the web.config contains sensitive information, it is important that it is encrypted.</span></span> ==
+
<br/> As the web.config contains sensitive information, it is important that it is encrypted.
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">The encryption should only occur once the validation of the application has been completed, as the encryption process is not easily reversible.</span></span>
+
The encryption should only occur once the validation of the application has been completed, as the encryption process is not easily reversible.
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:112%">Make a backup of the web.config</span></span>
+
The process below describes the process to encrypt with a machine-specific key where each server instance will have its own encrypted copy of the configuration file.
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Copy the web.config into a secure location.&nbsp; You must ensure that the password and any other information that is sensitive be extracted.&nbsp; This allows the administrator to make configuration changes in the future and provides a starting point.</span></span>
+
== Make a backup of the web.config ==
  
== Prepare the Web.Config ==
+
Copy the web.config into a secure location.&nbsp; You must ensure that the password and any other information that is sensitive be extracted.&nbsp; This allows the administrator to make configuration changes in the future and provides a starting point.
 +
 
 +
== <br/> Prepare the Web.Config ==
  
 
One line in the web.config has to be temporarily commented.
 
One line in the web.config has to be temporarily commented.
 
+
<pre><section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/></pre>
&nbsp;&nbsp;&nbsp; <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/>
 
  
 
should be changed to
 
should be changed to
 
+
<pre><!-- <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> --></pre>
&nbsp; <!--&#160; <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> -->
 
  
 
&nbsp;
 
&nbsp;
  
=== <span style="font-size:10.0pt" lang="EN-US"><span style="line-height:112%">Encrypt the web.config</span></span> ===
+
== Encrypt the web.config ==
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">Open the command prompt as an administrator.</span></span>
+
<br/> Open the command prompt as an administrator.
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">Navigate to "</span></span><span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">C:\Windows\Microsoft.NET\Framework\v4.0.30319";&nbsp; e.g. "cd C:\Windows\Microsoft.NET\Framework\v4.0.30319"</span></span>
+
Navigate to "C:\Windows\Microsoft.NET\Framework\v4.0.30319";&nbsp; e.g. "cd C:\Windows\Microsoft.NET\Framework\v4.0.30319"
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">Run the following command and change it to reflect the actual location of the web application:</span></span>
+
Run the following command and change it to reflect the actual location of the web application:
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">aspnet_regiis.exe -pef STSSettings "D:\orbital-lite"</span></span>
+
aspnet_regiis.exe -pef STSSettings "D:\orbital-lite"
  
=== <span style="font-size:10.0pt" lang="EN-US"><span style="line-height:112%">Verify the encryption of the web.config</span></span> ===
+
== <br/> Verify the encryption of the web.config ==
  
<span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Confirm that no sensitive data remains in the web.config</span></span>
+
Confirm that no sensitive data remains in the web.config
  
 
== Finalize the Web.Config ==
 
== Finalize the Web.Config ==
  
 
We need to change back the line that was previously commented.
 
We need to change back the line that was previously commented.
 
+
<pre><!-- <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> --></pre>
&nbsp; <!--&#160; <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> -->
 
  
 
should be changed back to
 
should be changed back to
 +
<pre><section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/></pre>
  
&nbsp;&nbsp;&nbsp; <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/>
+
== Test the application ==
  
== <span style="font-size:10.0pt" lang="EN-US"><span style="line-height:112%">Test the application</span></span> ==
+
== Ensure that the application is operating as expected. ==
  
== <span style="font-size:10.0pt" lang="EN-US"><span style="line-height:115%">Ensure that the application is operating as expected.</span></span> ==
+
&nbsp;

Latest revision as of 19:42, 16 January 2020

Overview


As the web.config contains sensitive information, it is important that it is encrypted.

The encryption should only occur once the validation of the application has been completed, as the encryption process is not easily reversible.

The process below describes the process to encrypt with a machine-specific key where each server instance will have its own encrypted copy of the configuration file.

Make a backup of the web.config

Copy the web.config into a secure location.  You must ensure that the password and any other information that is sensitive be extracted.  This allows the administrator to make configuration changes in the future and provides a starting point.


Prepare the Web.Config

One line in the web.config has to be temporarily commented.

<section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/>

should be changed to

<!-- <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> -->

 

Encrypt the web.config


Open the command prompt as an administrator.

Navigate to "C:\Windows\Microsoft.NET\Framework\v4.0.30319";  e.g. "cd C:\Windows\Microsoft.NET\Framework\v4.0.30319"

Run the following command and change it to reflect the actual location of the web application:

aspnet_regiis.exe -pef STSSettings "D:\orbital-lite"


Verify the encryption of the web.config

Confirm that no sensitive data remains in the web.config

Finalize the Web.Config

We need to change back the line that was previously commented.

<!-- <section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/> -->

should be changed back to

<section name="STSSettings" type="LiteSTS.Common.Configuration.STSConfig"/>

Test the application

Ensure that the application is operating as expected.