Tip 6Store Secure Information in the Registry
Besides encrypting data manually, you might also want to use the registry to store sensitive information. For example, you might configure your Web server to log in to a remote database server using Windows authentication. And so you might configure your Web application to use impersonation, specifying the username and password:
|Figure 8. Using the Registry Editor. Navigate to the registry directory shown to make your changes.|
However, storing the username and password in Web.config in plain text is not a good idea. A better idea is to use the registry to store the username and password.
In the following series of steps, I will show you how to store your database connection string in Web.config and then use the ASPNET_SETREG.exe utility provided by Microsoft to store the username and password in the registry.
1. Download the aspnet_setreg.exe utility from http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290.
2. Create a new user account in your Windows machine. I have called it ASPNETUSER with a password of “secret.”
3. Add the <appSettings> element into your Web.config file. This setting saves the database connection string into Web.config:
<add key="Distributor" value="workstation id=F16;packet size=4096;integrated security=SSPI;data
source=F16;persist security info=True;initial catalog=Distributor" />
4. In your code, you can retrieve the connection string defined in your Web.config
Dim connStr As String = _
Dim Conn As New SqlConnection(connStr)
5. Next, use the aspnet_setreg.exe
utility to add the username and password of the user account that your ASP.NET application will impersonate, into the registry:
C:\>aspnet_setreg -k:Software\ASPNetApp\Identity -u:ASPNETUSER -p:secret
6. When you do that, Windows will print a long message to the screen. The text of the message is shown below. In particular, look for two lines denoted in bold. You will need to save the two lines in a text file.
Please edit your configuration to contain the following:
The DACL on the registry key grants Full Control to System, Administrators, and Creator Owner.
If you have encrypted credentials for the <identity/> configuration section, or a connection string for the
<sessionState/> configuration section, ensure that the process identity has Read access to the
registry key. Furthermore, if you have configured IIS to access content on a UNC share, the account used to
access the share will need Read access to the registry key.
Regedt32.exe may be used to view/modify registry key permissions.
You may rename the registry subkey and registry value in order to prevent discovery.
7. Locate the Machine.config
file at: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG
and modify the <identity> element in Machine.config
|Figure 9. Read Permission. Change the settings to give ASPNET the permission to read the key.|
You can override the settings in Machine.config
by modifying the Web.config
file in your application and specifying another user identity to impersonate.
8. Launch the registry editor and navigate to My Computer/HKEY_LOCAL_MACHINE/SOFTWARE/ASPNetApp/Identity/ASPNET_SETREG (use regedt32), as shown in Figure 8.
9. Right-click on the ASPNET_SETREG registry key and select Permissions. Add the user account ASPNET and set it to Read permission (see Figure 9).
10. Give the user account ASPNETUSER FULL CONTROL access rights to the “Temporary ASP.NET Files” folder located in C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322.
11. That’s it! Your application will now run under the impersonation of ASPNETUSER. And the credentials of the user can be securely retrieved from the registry.