INFO: Usage of Strong Credentials to Store Connection Strings in the SessionState Element (821616)
The information in this article applies to:
- Microsoft ASP.NET (included with the .NET Framework 1.1)
- Microsoft ASP.NET (included with the .NET Framework) 1.0
SUMMARYIMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry This article describes how to store the encrypted
sqlConnectionString property and the stateConnectionString property for the <sessionState> element in the registry in a security-enhanced way. MORE INFORMATIONBy default, ASP.NET stores the ConnectionString property for a session state in plain text. You use encryption to increase the protection of ConnectionString. You can use the Aspnet_setreg.exe utility to encrypt and then to store the ConnectionString attribute values in
the registry under a secure key. You
can download Aspnet_setreg.exe from the following link: Download
the Aspnet_setreq.exe package nowAdditionally, this article describes how to
use the Aspnet_setreg.exe utility to encrypt credentials and session state
connection strings. The sessionState element configures session state settings for
the current application. You can use the encrypted data that the registry stores instead of plain text in the sessionState configuration
section. Aspnet_setreg.exe UtilityUse the Aspnet_setreg.exe utility to encrypt and then to store
connection string attribute values in the registry under a secure key. Use the CryptProtectData function with the CRYPTPROTECT_LOCAL_MACHINE flag to encrypt the
credentials. Because anyone with access to the computer can call the CryptUnprotectData function, the encrypted data is stored under a secure registry key with a
strong discretionary access control list (DACL). When ASP.NET parses the
configuration file, it reads the secure registry key and then uses CryptUnprotectData to decrypt the data. The ASP.NET worker process
(Aspnet_wp.exe) reads the <sessionState/> sections. To read the registry
keys, the worker process account must have Read permission to these keys. If
content is hosted on a Universal Naming Convention (UNC) share, the account
that is used to access the UNC share must have permission to read these
keys. Use Encrypted Attributes in the Configuration File for the SessionState ElementWARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
Note This tool creates the registry keys under the HKEY_LOCAL_MACHINE
subtree. By default, only administrators can create keys under this key. Make
sure that you are logged on as an administrator to successfully create the
registry keys. - Encrypt the sqlConnectionString and stateConnectionString attributes to use with the <sessionState> section. To encrypt the sqlConnectionString, type the following command at a command
prompt:
c:\Tools>aspnet_setreg.exe
-k:SOFTWARE\MY_SECURE_APP\sessionState -c:"data source=server;Integrated
Security=SSPI;Initial Catalog=northwind;user
id=username;password=password"
To encrypt the stateConnectionString, type the following command at a command
prompt: c:\Tools\>aspnet_setreg.exe -k:SOFTWAR
E\MY_SECURE_APP\sessionState
-d:"tcpip=dataserver:42424"
These commands encrypt the sqlConnectionString and stateConnectionString attributes, create registry keys at any location that you
specify, and then store the attributes in those registry keys. The commands
also generate output that specifies how to change your Web.config file or
your Machine.config file so that ASP.NET uses these keys to read that information
from the registry. After you run this command, you receive output that is
similar to the following:
Please edit your configuration to contain the following:
sqlConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,sqlConnectionString"
stateConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,stateConnectionString"
The DACL on the registry key grants Full Control to System, Administrators, and Creator Owner.
If you have encrypted credentials for the <identity/>
configuration section, or a connection string for the <sessionState/>
configuration section, ensure that the process identity has Read access to the
registry key. Furthermore, if you have configured IIS to access content on a
UNC share, the account used to access the share will need Read access to the
registry key. Regedt32.exe may be used to view/modify registry key permissions.
You may rename the registry subkey and registry value in order to prevent discovery. - Modify the corresponding configuration file to point to
these registry keys. Edit your configuration file so that it reads the information
from the registry. To do so, use the following code:
- Grant Read permissions to the Aspnet_wp.exe process
account. For more information about how to change permissions for registry
keys, see the "Use Registry Editor to Grant
Permissions for the ASP.NET Account on These Registry Keys" section
of this article.
Use Registry Editor to Grant Permissions for the ASP.NET Account on These Registry KeysWARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, and then click
Run.
- In the Open text box, type
regedt32, and then click OK.
- Click the HKEY_LOCAL_MACHINE\SOFTWARE\MY_SECURE_APP\
subkey.
- On the Security menu, click
Permissions to open the Permissions dialog
box. (If you use Microsoft Windows XP, right-click the registry key, and then
click Permissions to open this dialog box.)
- Click Add.
- Type
yourservername\ASPNET (or
yourservername\NetWorkService
if you use Windows Server 2003 [Internet Information Services 6.0]), and then click
OK.
- Verify that the account that you just added has Read
permissions, and then click OK.
- Close Registry Editor.
REFERENCESFor more information about session state, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfsessionstatesection.asp
For additional information about session state, click the following article numbers to view the articles in the Microsoft Knowledge Base:
329250
FIX: Stronger Credentials for processModel, identity, and sessionState
329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings
Modification Type: | Minor | Last Reviewed: | 7/8/2005 |
---|
Keywords: | kbdownload kbDevSecurity kbRegistry kbState kbSecurity kbConfig kbinfo KB821616 kbAudDeveloper |
---|
|