Microsoft KB Archive/821616

= INFO: Usage of Strong Credentials to Store Connection Strings in the SessionState Element =

Article ID: 821616

Article Last Modified on 4/19/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.1
 * Microsoft ASP.NET 1.0

-



SUMMARY
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

This article describes how to store the encrypted sqlConnectionString property and the stateConnectionString property for the  element in the registry in a security-enhanced way.



MORE INFORMATION
By default, ASP.NET stores the ConnectionString property for a session state in plain text. You use encryption to increase the protection of ConnectionString. You can use the Aspnet_setreg.exe utility to encrypt and then to store the ConnectionString attribute values in the registry under a secure key. You can download Aspnet_setreg.exe from the following link:

Download the Aspnet_setreq.exe package now

Additionally, this article describes how to use the Aspnet_setreg.exe utility to encrypt credentials and session state connection strings. The sessionState element configures session state settings for the current application. You can use the encrypted data that the registry stores instead of plain text in the sessionState configuration section.

Aspnet_setreg.exe Utility
Use the Aspnet_setreg.exe utility to encrypt and then to store connection string attribute values in the registry under a secure key. Use the CryptProtectData function with the CRYPTPROTECT_LOCAL_MACHINE flag to encrypt the credentials. Because anyone with access to the computer can call the CryptUnprotectData function, the encrypted data is stored under a secure registry key with a strong discretionary access control list (DACL). When ASP.NET parses the configuration file, it reads the secure registry key and then uses CryptUnprotectData to decrypt the data.

The ASP.NET worker process (Aspnet_wp.exe) reads the  sections. To read the registry keys, the worker process account must have Read permission to these keys. If content is hosted on a Universal Naming Convention (UNC) share, the account that is used to access the UNC share must have permission to read these keys.

Use Encrypted Attributes in the Configuration File for the SessionState Element
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Note This tool creates the registry keys under the HKEY_LOCAL_MACHINE subtree. By default, only administrators can create keys under this key. Make sure that you are logged on as an administrator to successfully create the registry keys.   Encrypt the sqlConnectionString and stateConnectionString attributes to use with the  section. To encrypt the sqlConnectionString, type the following command at a command prompt:

c:\Tools>aspnet_setreg.exe -k:SOFTWARE\MY_SECURE_APP\sessionState -c:&quot;data source=server;Integrated Security=SSPI;Initial Catalog=northwind;user id=username;password=password&quot;

To encrypt the stateConnectionString, type the following command at a command prompt:

c:\Tools\>aspnet_setreg.exe -k:SOFTWAR E\MY_SECURE_APP\sessionState -d:&quot;tcpip=dataserver:42424&quot;

These commands encrypt the sqlConnectionString and stateConnectionString attributes, create registry keys at any location that you specify, and then store the attributes in those registry keys. The commands also generate output that specifies how to change your Web.config file or your Machine.config file so that ASP.NET uses these keys to read that information from the registry.

After you run this command, you receive output that is similar to the following:

Please edit your configuration to contain the following:

sqlConnectionString=&quot;registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,sqlConnectionString&quot; stateConnectionString=&quot;registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,stateConnectionString&quot;

The DACL on the registry key grants Full Control to System, Administrators, and Creator Owner.

If you have encrypted credentials for the configuration section, or a connection string for the  configuration section, ensure that the process identity has Read access to the registry key. Furthermore, if you have configured IIS to access content on a UNC share, the account used to access the share will need Read access to the registry key. Regedt32.exe may be used to view/modify registry key permissions. You may rename the registry subkey and registry value in order to prevent  discovery.  Modify the corresponding configuration file to point to these registry keys. Edit your configuration file so that it reads the information from the registry. To do so, use the following code:  ==== SQLServer Mode ====

The following example specifies the SQLServer session state configuration settings:     </li></ul>

<ul> ==== StateServer Mode ====

The following example specifies the StateServer session state configuration settings:  <sessionState mode=&quot;StateServer&quot; stateConnectionString=&quot;registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,stateConnectionString&quot; </sessionState> </system.web> </li></ul> </li> Grant Read permissions to the Aspnet_wp.exe process account. For more information about how to change permissions for registry keys, see the &quot;Use Registry Editor to Grant Permissions for the ASP.NET Account on These Registry Keys&quot; section of this article.</li></ol>

Use Registry Editor to Grant Permissions for the ASP.NET Account on These Registry Keys
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
 * 1) Click Start, and then click Run.
 * 2) In the Open text box, type regedt32, and then click OK.
 * 3) Click the   subkey.
 * 4) On the Security menu, click Permissions to open the Permissions dialog box. (If you use Microsoft Windows XP, right-click the registry key, and then click Permissions to open this dialog box.)
 * 5) Click Add.
 * 6) Type  \ASPNET (or  \NetWorkService if you use Windows Server 2003 [Internet Information Services 6.0]), and then click OK.
 * 7) Verify that the account that you just added has Read permissions, and then click OK.
 * 8) Close Registry Editor.

<div class="references_section">