6- Securing Configuration Settings
0 (0 Likes / 0 Dislikes)
I am going to show you a security risk with this application setting
and then I will explain how to address these issues
but before we are getting into the details
I want to emphasize this approach has complexity
And I would recommend to use it only of you are working on a project
where security is a big concern
otherwise keep things simple
so what is wrong here?
we are storing this FacebookAppSecret as plaintext
also, in the connection string session we don't currently have a username password
but in most real world application we would most likely to have a username and password here
when we check this code into our source control repository
these secrets are visiable to anyone
who has access to that repository
and this is especially a big concern if you are using a public repository
such as the one on Github
so we need to exclude this secret from source control
instead every developer will have them on there machine
and when a new developer joins the team
someone in the team will send him the secret
internally
ok, now let me show you the steps
in solution explorer
right click a project and add new item
in the templates on the web
we select web configuration file
give it a name: AppSetting.config
and make sure to select config here
don't use xml
because by default IIS does not serve as configuration file
now we delete everything here
go back to web.config
select AppSetting, cut
and paste in AppSettings.config
save, now back in web.config
we add appSetting again
but this time we set the attribute configSource
and here we specify the name of the external file AppSettings.config
now from source control management perspective
we can exclude this file AppSetting.config from source control
and this will prevent the issue I talked about
but again do this only if you are using a public repo
if you are using a internal repo and only a few people have read access to the repo
you don't really need to do this
unless you are working on a project where security is a big concern
and by the way you can repeat the exact same steps
with the connection string
so you create a seperate file, move all connection string there
and then set configSource here
now in term of deployment when we deploy our app using the publish wizard
these external config files will also be deployed with web.config
now there is another risks here
on the target webServer
these config files include our secret in plain texts
so if the hacker gets access to the server
he or she can find all the secrets and get even more access
potentially they can get full access to the DB
and read a lot of private data
or just execute a script to mess up the data
to prevent this, we need to encript these files
now I am going to show you a simplified version of this process
so you see how everything works
but in reality there is a complication to this and I will explain that later
so let me show you the workflow
let say you are ready to deploy your application
first we go to publish wizard
and deploy to the file system
so currently you see I am deploying to C: drive in the deploy folder
publish
now before uploading this file to our webserver, we need to encript our setting
so we search for Visual Studio tools
open this
here we have Developer Command Prompt for VS2013
right click and tun as admin
otherwise it is not gonna work
here we gonna use one of these tools with .NET Framework
aspnet_regiis
we provide a switch -pef and this is for encripting the setting
now, we want to encript "appSettings" session in web.config
now in real world you would repeat the same step with connection string as well
next we specify where our files are located "C:\deploy"
so our web.config is here
and now for demo I will supply a provider
-prov "DataProtexttionConfigurationProvider"
with this provider only the machine that enscripts our web.config is the one that can descript it
this doesn't work in your workflow because
you are going to encript this web.config on your build machine
and to deploy to a different machine
then you would use a different provider called RSA
and for that to work, you need to create a digital certificate
and share it within this machine
and any machine with this certificate can share this file
but again this is really beyond the scope of this course
so basically with this command
you are telling the framework
enscript appSetting section in web.config
if appSetting section has the settings internally
it will be encripted there, otherwise
if they are stored in an external file
this external file, in this case AppSetting.config will be encripted
let me show you the app
so here my deploy folder
I am gonna open up this appsetting.config
look, this is the output
so if anyone gets access to this webserver
they can not extract our secret here
now even tho our AppSetting is encripted, Asp.net mvc runtime can descript it and extract the value
now let me show you how to descript it
so back here I am gonna bring up the last command (dev Command Prompt)
and remove the provider
and then change pef to pdf
succeded
back to VS
and here is our setting
so this was the workflow
you publish to the file system
then you use ASPnet regiis to encript appSetting and connectionString
but as you see this is manual and time consuming
so in a real world project where you need that level of security
you need to implement build automation
you would create a script using tools like PowerShell that publish the project to the file system
and then encript AppSetting and connectionString