const string PROVIDER = "DataProtectionConfigurationProvider";
const string PROVIDER = "RSAProtectedConfigurationProvider";
Configuration ObjConfiguration =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConnectionStringsSection cnStrSettings = ObjConfiguration.ConnectionStrings;
//Encrypt the Connection Strings Section
cnStrSettings.SectionInformation.ProtectSection(PROVIDER);
//Decrypt the Connection Strings Section
if (cnStrSettings.SectionInformation.IsProtected)
{
cnStrSettings.SectionInformation.UnprotectSection();
}
ObjConfiguration.Save();
Hi All,
ReplyDeleteThanks for your reply and advice.
My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.
The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?
Thanks!
Even if someone can get your web.config via FTP, still you are safe since the passwords are encrypted hence cannot be decrypted anywhere else... so no one can steal passwords even if they get the web.config via FTP.
ReplyDelete