One of the questions from the audit team could be why do we keep some sensitive data in our configuration files. Luckily .NET provides fast and effective way of encrypting content of the web.config or machine.config files.
Of course if we use Windows Authentication, no data will be exposed in Web.Config, but just in case we need SQL based authentication to be used. Please use a simple script to encrypt content of the <connectionStrings> section of your web.config file.
1. Get the ID of your web site from the IIS Administration panel:
2. Open Command Prompt. Navigate to a folder where .NET resides and execute the following statement:
aspnet_regiis -pe connectionStrings -app / -site 9
Where connectionStrings is the area what we plan to encrypt, -app / means we have our site at root, and
-site 9 is the site ID.
Web.Config before the "surgery":
The only drawback of this - Configuration Tool, that is using local executable application, will not be able to find a database. But this I believe for good, you can control the attempt of changing configurations for the system.
If you need to decrypt the web.config, just run this statement:
aspnet_regiis -pd connectionStrings -app / -site 9
You Enjoy :) ,