39.4. Encrypting Connection Strings
Although best practices state that you should use Windows authentication and integrated security wherever possible, this is not always the case; sometimes you have to resort to specifying a user ID and password in a connection string. It is recommended that this information not be hard-coded into your application, because it can easily be extracted from the assembly. As such, this information needs to be either specified by the users each time they use the system, or added to the connection string in the configuration file. The upshot of this is that you need a mechanism for encrypting configuration sections.
This walkthrough shows you how to encrypt a section of a configuration file for a web application, StagingWebsite, which has a web.config file as follows:
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="AdventureWorksConnectionString" connectionString="Data Source=
.\sqlexpress;Initial Catalog=AdventureWorks;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<!--
...
-->
</configuration>
Using the command prompt, execute the following commands in sequence, replacing UserName with the name of the account that the web application will run as (for example, the AspNet account):
cd\WINDOWS\Microsoft.NET\Framework\v2.0.50739
aspnet_regiis -pa "NetFrameworkConfigurationKey" "UserName"
aspnet_regiis -pe "connectionStrings"-app "/StagingWebsite"
Executing these commands modifies the web.config ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access