Home/ Questions/Q 231563
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T19:56:37+00:00

I am responsible for several ASP.NET web apps running on a local Intranet server.

  • 0

I am responsible for several ASP.NET web apps running on a local Intranet server. Users outside the company aren’t supposed to have access to the server, but I don’t like leaving anything to chance if it’s not necessary. And only admins should have access to the file system.

Should I encrypt the app settings and connection string sections of web.config? I haven’t see this mentioned very often, and I was wondering if it’s overkill or not a best-practice. I’ve got passwords in my connection strings and account info for a service account I use to query AD in the app settings.

BTW: I would encrypt using

 Configuration webConfig = WebConfigurationManager.OpenWebConfiguration(System.Web.HttpContext.Current.Request.ApplicationPath);
ConfigurationSection section = webConfig.Sections["connectionStrings"];

if (section != null && !section.SectionInformation.IsProtected)
{
    section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
    webConfig.Save();
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Should I encrypt the app settings and connection string sections of web.config?

    If the connection strings include passwords: then yes, there is no other reasonable option.

    If using integrated security to connect to the database, then the information exposure would be database and server names, which is less of an issue. But might be easier to have a deployment rule of always encrypting, because the simpler rule is easier to follow and audit.

    You can also use aspnet_regiis.exe to encrypt sections, rather than writing your own code. Enter aspnet_regiis.exe -? into a PowerShell (or cmd) prompt to see options.

    • 0