INFO: Usage of Strong Credentials to Store Connection Strings in the SessionState Element

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: This article describes how to store the encrypted sqlConnectionString property and the stateConnectionString property for the <sessionState> element in the registry in a security-enhanced way.

By default, ASP.NET stores the ConnectionString property for a session state in plain text. You use encryption to increase the protection of ConnectionString. You can use the Aspnet_setreg.exe utility to encrypt and then to store the ConnectionString attribute values in the registry under a secure key. You can download Aspnet_setreg.exe from the following link:
Download the Aspnet_setreq.exe package now (http://download.microsoft.com/download/2/9/8/29829651-e0f0-412e-92d0-e79da46fd7a5/aspnet_setreg.exe)
Additionally, this article describes how to use the Aspnet_setreg.exe utility to encrypt credentials and session state connection strings. The sessionState element configures session state settings for the current application. You can use the encrypted data that the registry stores instead of plain text in the sessionState configuration section.

Aspnet_setreg.exe Utility

Use the Aspnet_setreg.exe utility to encrypt and then to store connection string attribute values in the registry under a secure key. Use the CryptProtectData function with the CRYPTPROTECT_LOCAL_MACHINE flag to encrypt the credentials. Because anyone with access to the computer can call the CryptUnprotectData function, the encrypted data is stored under a secure registry key with a strong discretionary access control list (DACL). When ASP.NET parses the configuration file, it reads the secure registry key and then uses CryptUnprotectData to decrypt the data.

The ASP.NET worker process (Aspnet_wp.exe) reads the <sessionState/> sections. To read the registry keys, the worker process account must have Read permission to these keys. If content is hosted on a Universal Naming Convention (UNC) share, the account that is used to access the UNC share must have permission to read these keys.

Use Encrypted Attributes in the Configuration File for the SessionState Element

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Note This tool creates the registry keys under the HKEY_LOCAL_MACHINE subtree. By default, only administrators can create keys under this key. Make sure that you are logged on as an administrator to successfully create the registry keys.

1. Encrypt the sqlConnectionString and stateConnectionString attributes to use with the <sessionState> section. To encrypt the sqlConnectionString, type the following command at a command prompt:
   c:\Tools>aspnet_setreg.exe -k:SOFTWARE\MY_SECURE_APP\sessionState -c:"data source=server;Integrated Security=SSPI;Initial Catalog=northwind;user id=username;password=password"
   
   To encrypt the stateConnectionString, type the following command at a command prompt:
   c:\Tools\>aspnet_setreg.exe -k:SOFTWAR E\MY_SECURE_APP\sessionState -d:"tcpip=dataserver:42424"
   
   These commands encrypt the sqlConnectionString and stateConnectionString attributes, create registry keys at any location that you specify, and then store the attributes in those registry keys. The commands also generate output that specifies how to change your Web.config file or your Machine.config file so that ASP.NET uses these keys to read that information from the registry.
   After you run this command, you receive output that is similar to the following:
   

   Please edit your configuration to contain the following:
   
   sqlConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,sqlConnectionString"
   stateConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,stateConnectionString"
   
   The DACL on the registry key grants Full Control to System, Administrators, and	Creator Owner. 
   
   If you have encrypted credentials for the <identity/>
   configuration section, or a connection string for the <sessionState/>
   configuration section, ensure that the process identity has Read access to the 
   registry key. Furthermore, if you have configured IIS to access content on a
   UNC share, the account used to access the share will need Read access to the
   registry key. Regedt32.exe may be used to view/modify registry key permissions.
   You may rename the registry subkey and registry value in order to prevent	discovery.

2. Modify the corresponding configuration file to point to these registry keys. Edit your configuration file so that it reads the information from the registry. To do so, use the following code:

   • SQLServer Mode

     
     The following example specifies the SQLServer session state configuration settings:

     <configuration>
        <system.web>
           <sessionState mode="SQLServer"
                         sqlConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,sqlConnectionString" />
           </sessionState>
        </system.web>
     </configuration>

   • StateServer Mode

     
     The following example specifies the StateServer session state configuration settings:

     <configuration>
        <system.web>
           <sessionState mode="StateServer"
                         stateConnectionString="registry:HKLM\SOFTWARE\MY_SECURE_APP\sessionState\ASPNET_SETREG,stateConnectionString"
           </sessionState>
        </system.web>
     </configuration>

3. Grant Read permissions to the Aspnet_wp.exe process account. For more information about how to change permissions for registry keys, see the "Use Registry Editor to Grant Permissions for the ASP.NET Account on These Registry Keys" section of this article.

Use Registry Editor to Grant Permissions for the ASP.NET Account on These Registry Keys

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, and then click Run.
2. In the Open text box, type regedt32, and then click OK.
3. Click the HKEY_LOCAL_MACHINE\SOFTWARE\MY_SECURE_APP\ subkey.
4. On the Security menu, click Permissions to open the Permissions dialog box. (If you use Microsoft Windows XP, right-click the registry key, and then click Permissions to open this dialog box.)
5. Click Add.
6. Type yourservername\ASPNET (or yourservername\NetWorkService if you use Windows Server 2003 [Internet Information Services 6.0]), and then click OK.
7. Verify that the account that you just added has Read permissions, and then click OK.
8. Close Registry Editor.

For more information about session state, visit the following Microsoft Developer Network (MSDN) Web site: http://msdn2.microsoft.com/en-us/library/h6bb9cz9(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/h6bb9cz9(vs.71).aspx)
For additional information about session state, click the following article numbers to view the articles in the Microsoft Knowledge Base: