In ordre to add security, we need to encrypt connectionstring section of web.config file. As web.config is plain text file, if not encrypted, username and password used for making database connection will be exposed to any reader.
Encrypting Web.Config
- Open Command Prompt with Administrator privileges
- At the Command Prompt, enter:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319 - In case your web Config is located in “I:\alt_sites\sample_app\www” directory path, then enter the following to encrypt the
ConnectionString:
ASPNET_REGIIS -pef “connectionStrings” “I:\alt_sites\sample_app\www”
Use Aspnet_regiis.exe tool with the–pefoption and specify the application path as shown above.
Note: The parameter “connectionStrings” is case sensitive.
To Decrypt encrypted connection string use -pdf option as
ASPNET_REGIIS -pdf “connectionStrings” “I:\alt_sites\sample_app\www“