6- Securing Configuration Settings

I am going to show you a security risk with this application setting and then I will explain how to address these issues but before we are getting into the details I want to emphasize this approach has complexity And I would recommend to use it only of you are working on a project where security is a big concern otherwise keep things simple so what is wrong here? we are storing this FacebookAppSecret as plaintext also, in the connection string session we don't currently have a username password but in most real world application we would most likely to have a username and password here when we check this code into our source control repository these secrets are visiable to anyone who has access to that repository and this is especially a big concern if you are using a public repository such as the one on Github so we need to exclude this secret from source control instead every developer will have them on there machine and when a new developer joins the team someone in the team will send him the secret internally ok, now let me show you the steps in solution explorer right click a project and add new item in the templates on the web we select web configuration file give it a name: AppSetting.config and make sure to select config here don't use xml because by default IIS does not serve as configuration file now we delete everything here go back to web.config select AppSetting, cut and paste in AppSettings.config save, now back in web.config we add appSetting again but this time we set the attribute configSource and here we specify the name of the external file AppSettings.config now from source control management perspective we can exclude this file AppSetting.config from source control and this will prevent the issue I talked about but again do this only if you are using a public repo if you are using a internal repo and only a few people have read access to the repo you don't really need to do this unless you are working on a project where security is a big concern and by the way you can repeat the exact same steps with the connection string so you create a seperate file, move all connection string there and then set configSource here now in term of deployment when we deploy our app using the publish wizard these external config files will also be deployed with web.config now there is another risks here on the target webServer these config files include our secret in plain texts so if the hacker gets access to the server he or she can find all the secrets and get even more access potentially they can get full access to the DB and read a lot of private data or just execute a script to mess up the data to prevent this, we need to encript these files now I am going to show you a simplified version of this process so you see how everything works but in reality there is a complication to this and I will explain that later so let me show you the workflow let say you are ready to deploy your application first we go to publish wizard and deploy to the file system so currently you see I am deploying to C: drive in the deploy folder publish now before uploading this file to our webserver, we need to encript our setting so we search for Visual Studio tools open this here we have Developer Command Prompt for VS2013 right click and tun as admin otherwise it is not gonna work here we gonna use one of these tools with .NET Framework aspnet_regiis we provide a switch -pef and this is for encripting the setting now, we want to encript "appSettings" session in web.config now in real world you would repeat the same step with connection string as well next we specify where our files are located "C:\deploy" so our web.config is here and now for demo I will supply a provider -prov "DataProtexttionConfigurationProvider" with this provider only the machine that enscripts our web.config is the one that can descript it this doesn't work in your workflow because you are going to encript this web.config on your build machine and to deploy to a different machine then you would use a different provider called RSA and for that to work, you need to create a digital certificate and share it within this machine and any machine with this certificate can share this file but again this is really beyond the scope of this course so basically with this command you are telling the framework enscript appSetting section in web.config if appSetting section has the settings internally it will be encripted there, otherwise if they are stored in an external file this external file, in this case AppSetting.config will be encripted let me show you the app so here my deploy folder I am gonna open up this appsetting.config look, this is the output so if anyone gets access to this webserver they can not extract our secret here now even tho our AppSetting is encripted, Asp.net mvc runtime can descript it and extract the value now let me show you how to descript it so back here I am gonna bring up the last command (dev Command Prompt) and remove the provider and then change pef to pdf succeded back to VS and here is our setting so this was the workflow you publish to the file system then you use ASPnet regiis to encript appSetting and connectionString but as you see this is manual and time consuming so in a real world project where you need that level of security you need to implement build automation you would create a script using tools like PowerShell that publish the project to the file system and then encript AppSetting and connectionString