LANGUAGES: All .NET Languages
ASP.NET VERSIONS: 1.1
Store Passwords Securely
Use an encrypted password stored in the registry instead of plain text stored in a configuration file.
By Dino Esposito
In Take Control of the ASPNET Account, I took a close look at ASP.NET's security layers. Starting with the .NET Framework Service Pack 3, and of course in ASP.NET 1.1, you can use an encrypted password stored in the registry instead of plain text stored in a configuration file. This feature is supported by the processModel, identity, and sessionState sections of the registry.
The idea is that you use an ad-hoc tool - aspnet_setreg.exe - to encrypt the credentials and store them in the registry. The tool creates registry keys under the HKEY_LOCAL_MACHINE subtree and there stores an encrypted username and password. By default, only administrators can create keys under this hive. For example, here's what you need to do to create encrypted registry keys for the username and password:
Notice that the aspnet_setreg.exe tool always creates an extra key named ASPNET_SETREG and, below it, the attributes userName and Password contain encrypted data. You can change key and attribute names in the registry as needed to camouflage them better.
Microsoft made the aspnet_setreg.exe tool available as part of a "hot fix" as described in Microsoft Knowledge Base article Q329290, "Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings" (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290). The recommended way to get it, though, is through Service Pack 3 or ASP.NET 1.1. Getting the aspnet_setreg.exe tool alone is not sufficient because updates to aspnet_isapi.dll also are needed.
Once you set the registry, you enter some changes into the involved configuration files (machine.config or web.config) and make the critical elements point to the registry for username and/or password. You assign the userName and password attributes as shown below. The sample text refers to the identity section.
Basically, you make the attribute point to the registry path where the encrypted credentials are stored. Notice that you must mention the hive explicitly using the HKLM abbreviation. (HKLM stands for HKEY_LOCAL_MACHINE.) If you modified the default registry path, indicate the new one in the .config files.
Dino Esposito is a trainer and consultant who specializes in ASP.NET, ADO.NET, and XML. Author of Building Web Solutions with ASP.NET and ADO.NET and Programming Microsoft ASP.NET, both from Microsoft Press, Dino also is a co-founder of http://www.VB2TheMax.com. E-mail him at mailto:[email protected].