Last month I blogged about how the asp.net padding oracle vulnerability related to getting different levels of access to the application, where part of it involved gaining access to unprotected machine keys at the web.config of the affected sites.
While the Microsoft’s patch that closes the vulnerability is already on Windows Update and other distribution channels, it doesn’t mean we shouldn’t pay attention to keeping important access information of our application out of harms way.
Protecting config sections
One way to protect machine keys, connection strings and other sensitive information in the web.config is to use protected sections. Check Microsoft’s Walkthrough: Encrypting Configuration Information Using Protected Configuration, for steps to use them in your application. By using this approach, the information is no longer in clear text in the web.config, and is encrypted with a key that’s not anywhere in the web site’s folder.
Machine’s level web.config
If the server isn’t shared with third party applications, another option is to configure the machine key at the machine level’s web.config. This is another way the machine key wouldn’t have been exposed in the event access to the site’s folder was gained, like in the recent vulnerability.
For .net 4, look it at: %systemroot%\Microsoft.NET\Framework\v4.0.30319\Config\. Note that for .net 3 and 3.5, it uses the same config than the 2.0 framework.