BenkoBLOG : Security

Encrypting the Web.config in VB

benko — Wed, 16 Apr 2008 20:45:00 GMT

I got a request for how to do the encryption of the web.config but this time in VB, so I thought I'd post it here on the blog as well. The logic is about the same, although I found that in VB I had to add a line to the configuration to save the new settings. The code for this in vb.net (adding to the global.asax file in the "Session_Start" subroutine:

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)

    ' Code that runs when a new session is started

    EncryptSection("appSettings")

End Sub

Private Sub EncryptSection(ByVal sSection As String)

    Dim config As Configuration = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(Context.Request.ApplicationPath)

    Dim configSection As ConfigurationSection = config.GetSection(sSection)

    If configSection.SectionInformation.IsProtected = False Then

        configSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")

        config.Save()

    End If

End Sub

How to encrypt the Web.Config

benko — Fri, 11 Apr 2008 20:23:00 GMT

In the security session we did I showed in one of the sample how you can encrypt the web.config file by adding code to the global.asax file. The cool part of this is that using this technique you can secure application specific settings like connection strings and other data in the unlikely event that someone is able to get a copy of the configuration file (like by copying it to a thumb drive from the host machine or something similar).

The basic logic is to create a variable that points to a configuration section, then checking that the section is protected (i.e. encrypted). If it isn't, then call the ProtectSection method to encrypt the contents. The server uses the local DPAPI (Data Protection API) to encrypt the configuration section with a machine specific key, so only that machine can decrypt the contents. The code for this is:

    public class Global : System.Web.HttpApplication
    {
        protected void Session_Start(object sender, EventArgs e)
        {
            EncryptSection("appSettings");
        }


        private void EncryptSection(string sSection)
        {
            Configuration config = System.Web.Configuration
                                   .WebConfigurationManager
                                  .OpenWebConfiguration
                             (Context.Request.ApplicationPath);

            ConfigurationSection configSection =
                               config.GetSection(sSection);

            if (!configSection.SectionInformation.IsProtected)
            {
               configSection.SectionInformation.ProtectSection
                         ("DataProtectionConfigurationProvider");
                config.Save();
            }
        }

Happy Coding!

MSDN Security Session Links

benko — Thu, 17 Jan 2008 10:04:41 GMT

Technorati Tags: MSDN

MSDN Events is back! It's a new year and this week I'm back on the road delivering MSDN events again. The topics we're covering include ASP.NET Membership, IIS 7.0 and Hacker Tricks...we show how the exploits work and what you can do to prevent them. In the presentation we've got a number of links to more information and to make it easier I'm including those links here for easy access.

These links include the following:

IIS 7.0 - What's new for developers

iis.net - Introduction to IIS 7 Architecture

iis.net - IIS7 Configuration Reference

MSDN - Hosting in Windows Process Activation Service

iis.net - Your Web Platform Security

iis.net - Configuring the IIS7 Runtime

Mike Volodarsky Blog - Developing IIS7 web server features with the .NET framework

ASP.NET Provider Model

MSDN - Provider Model Design Pattern and Specification, Part 1

MSDN - Microsoft ASP.NET 2.0 Providers: Introduction

MSDN - ASP.NET Login Controls Overview

MSDN - Web Site Administration Tool Overview

MSDN Mag - Client-Side Web Service Calls with AJAX Extensions

MSDN - Client Application Services

AdventureWorksLT Sample Database

MySQL Connector - NET 5.1

Security Hacks

Anti-XSS Library v1.5 Download

www.Fiddler2.com

www.HelloSecureWorld.com

Open Source Web Application Project - Top 10 Exploits 2007

Exploit: Cross Site Scripting - Paypal

Exploit: SQL Injection - www.ri.gov

Exploit: Cross Site Scripting - FTD

Exploit: Insecure Direct Object Reference - Cahoots

Exploit: Integer Overflow - Apple

Some CardSpace resources

benko — Mon, 18 Jun 2007 09:33:00 GMT

here's some links about cardspace:

CardSpace resources

benko — Thu, 26 Apr 2007 08:21:24 GMT

I had the opportunity and privilege yesterday to visit Eugene Oregon and present the MSDN event there. This quarter we're covering the 4^th pillar of .NET 3.0 – CardSpace (the other 3 are Windows Presentation Foundation, Communication Foundation, and WorkFlow). There were lots of great questions and interest in the topic, with many questions about what it is and how it works.

One that struck me that I've asked myself is "How do I use CardSpace with ASP.NET 2.0's Membership provider?" Basically what you need to do is to provide a way to associate the CardSpace card with a user in the system. This can be accomplished by adding to the schema generated by the default SQL Membership Provider in SQL Server (the aspnetdb.mdb file automatically added). We add a table to hold the PPID of the card and the UserId for the specific user, and then alter some stored procedures to work with it. A great resource for this is Kevin Hammond's blog posting of a video that shows this being done. Rather than repeat that here I thought I'd give you the link (and a few more for good measure!)

http://www.casadehambone.com/howtousewindowscardspacewithaspnetformsauthentication.aspx

http://cardspace.netfx3.com

http://identityblog.com

http://perpetual-motion.com

Another question is what happens to Passport with the advent of CardSpace? That one is easy, they're different things and fit different purposes. Where Passport is an Identity Provider complete with a data store of lots of identity information; CardSpace is an Identity Selector. That means that CardSpace is a way we can link a card on your machine to a passport account.

On Thursday I'll be in Portland, so if you happen to be browsing this before then and stop by to say hi, let me know. I'd love to hear from you!

Happy Coding!