Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is a good alternative to putting passwords in config files?

Tags:

.net

security

I have a bunch of .Net config files which contain passwords for Windows service accounts and/or SQL server logins. I would like to get them out of the config files and keep them more secure.

What is a good alternative to having the passwords in the config file?

Thanks

like image 353
Matthew MacFarland Avatar asked Feb 12 '15 01:02

Matthew MacFarland


2 Answers

I have to disagree with the given answers here. Assuming that your program requires to start up without someone entering a password, the program needs access to some clear text credentials in any way. If you encrypt the config file, where do you put the key to decrypt that config file? Encrypting the config file doesn't make anything better, it just makes the administration harder, with no noticeable improvement in security.

In the end you have to rely on the security of your machine holding that credential. Harden it as good as possible, restrict access to it as good as you can.

There is a longer article on that elaborating more on that fact.

like image 101
Michael Avatar answered Jun 08 '23 01:06

Michael


You can actually encrypt sections of your config files. it's not "separate" from the config file as you asked about in your question, but it is more secure than storing the unencrypted/plaintext passwords in your config file.

Example to encrypt the connection strings (from command prompt):

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

Note that this same technique can be applied to sections aside from connection strings.

See the tutorial at: https://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.140%29.aspx

To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have permission to read the appropriate encryption key information. For more information, see Importing and Exporting Protected Configuration RSA Key Containers.

The application will be able to use the encrypted values natively, but if a user had access to the config file say via a fileshare, the strings would still be encrypted.

Another tutorial which might have some additional info: http://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config

Note that encryption is reversible with the appropriate key. Your safest bet would be to lock down remote and share access to the area where the config file is stored. Without either of these, your config file shouldn't even be accessible to anyone but administrators to the server.

like image 35
Kritner Avatar answered Jun 08 '23 00:06

Kritner