Store encrypted AppSettings and ConnectionStrings in a database

Do you have connectionStrings and appSettings with potentially sensitive data spread all over your network in various web.configs?

Do you worry about your database userids and passwords saved in source control?

I set out to solve this problem and created DBConfigurationManager. It is available as a NUGET package : https://www.nuget.org/packages/DBConfigurationManager/

DBConfigurationManager allows you to store your appSettings and ConnectionStrings in a database table. There is nothing you need to do in the code. You continue using

ConfigurationManager.AppSettings[“”] and ConfigurationManager.ConnectionStrings[“”]

When you install the package, it gives you the TABLE script you need to hold the configuration information.

pic1

as well as adds a connectionString to your web.config to point to the configuration datastore.

pic2.PNG

It is a great way to centralize your appSettings and ConnectionStrings. If you are worried about security, you could easily use SSPI and connect to the configuration database using the AppPoolIdentity or Service Account you are running your website under.

New in Version 2.0.0.0

  • Ability to encrypt your settings in the database.
  • You can either use MachineKey to encrypt or, a secret key using MD5 encryption.
  • Also, included is a tool (look in your bin folder) called StringEncryptor to create your encrypted settings.

TOOL to encrypt your Settings

pic3

Advertisements

IIS Rewrite Rules (force www to non-www and http to https)

  • Redirect www site to non-www. eg. I use the rule below for my own website. If user browses to https://www.indexedmind.com, redirect them to https://indexedmind.com
    <system.webServer>
    <rewrite>
    <rules>
    <rule name=”Redirect WWW to non-WWW” stopProcessing=”true”>
    <match url=”(.*)” />
    <conditions>
    <add input=”{HTTP_HOST}” pattern=”^indexedmind\.com$” negate=”true” />
    </conditions>
    <action type=”Redirect” url=”https://indexedmind.com/{R:1}” />
    </rule>
    </rules>
    </rewrite>
    </system.webServer>
    
  • Redirect http request to https. eg. if user browses to http://indexedmind.com, force them to go to https://indexedmind.com
    <rule name=”Redirect to HTTPS” stopProcessing=”true”>
    <match url=”(.*)”/>
    <conditions>
    <add input=”{HTTPS}” pattern=”^OFF$”/>
    </conditions>
    <action type=”Redirect” url=”https://{HTTP_HOST}{REQUEST_URI}” redirectType=”SeeOther”/>
    </rule>
    

How to retrieve a list of Application Pools and their configured identities on your IIS box.

I wrote this script which will give you a list of Application pools defined on your IIS 6.x box and the configured identities. Optionally, it can also enumerate the list of applications or virtual directories that are configured to run under those app pools. Although, this script can run remotely, but I was getting access denied messages on some boxes, so I recommend running it locally under and admin account.

Download the script –> Here

Usage :

 

IISEnumAppPools LOCALHOST

IISEnumAppPools LOCALHOST 1

IISEnumAppPools LOCALHOST > Ouptut.txt

Sample Output :

 

SERVER: localhost
————————————
App Pool : Application1
IDENTITY : Network Service

App Pool : Asp.Net 1.1
IDENTITY : Network Service

App Pool : ASP.net 2.0
IDENTITY : Local System

App Pool : TestPool
IDENTITY :SERVER\Admin

Or

————————
App Pool : LegiantTimeCard
IDENTITY : Network Service

/LM/W3SVC/1/ROOT/LegiantTimecard/

————————
App Pool : OnlineReports
IDENTITY : Network Service

/LM/W3SVC/1/ROOT/OnlineReports/