Friday, February 06, 2004
How to encrypt UserName and Password in ProcessModel element in machine.config
http://radio.weblogs.com/0118356/2003/05/17.html
Security Note: If you do not set a restrictive ACL on the machine.config file, putting your userid and password in cleartext allows anyone to see your password. Even if you set a restrictive ACL, all users in the Administrators group will still be able to see it.
My resolution to the above Security Note was the following. Use the aspnet_setreg.exe utility to put an Encrypted version of my account userid and password in the registry by using the following command:
aspnet_setreg.exe -k:SOFTWARE\MY_SECURE_APP\processModel -u:"YourUserName" -p:"YourPassword"
Then modify the processModel as follows to point it to the registry:
password="registry:HKLM\SOFTWARE\MY_SECURE_APP\processModel\ASPNET_SETREG,password"
...... />
Security Note: If you do not set a restrictive ACL on the machine.config file, putting your userid and password in cleartext allows anyone to see your password. Even if you set a restrictive ACL, all users in the Administrators group will still be able to see it.
My resolution to the above Security Note was the following. Use the aspnet_setreg.exe utility to put an Encrypted version of my account userid and password in the registry by using the following command:
aspnet_setreg.exe -k:SOFTWARE\MY_SECURE_APP\processModel -u:"YourUserName" -p:"YourPassword"
Then modify the processModel as follows to point it to the registry:
password="registry:HKLM\SOFTWARE\MY_SECURE_APP\processModel\ASPNET_SETREG,password"
...... />
