TODO:
Have you ever wanted to protect your web.config file, so that the appsettings and connectionstrings sections could not be read? Below are 2 methods and a class level variable you can add to your code to protect your app.config or web.config.
SOLUTION:
private string LastErrorMessage = "";
/// <summary>
/// Protect the App.Config
/// </summary>
public void ProtectApplicationConfig()
{
Configuration standardConfig = null;
ConnectionStringsSection standardConnectionStringsSection = null;
AppSettingsSection standardAppSettingsSection = null;
try
{
standardConfig = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Get the connection strings section
standardConnectionStringsSection = standardConfig.ConnectionStrings;
standardAppSettingsSection = standardConfig.AppSettings;
// Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
if (!standardConnectionStringsSection.SectionInformation.IsProtected)
standardConnectionStringsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
// Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
if (!standardAppSettingsSection.SectionInformation.IsProtected)
standardAppSettingsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
// Save the configuration section within protected data
standardConnectionStringsSection.SectionInformation.ForceSave = true;
standardAppSettingsSection.SectionInformation.ForceSave = true;
standardConfig.Save();
}
catch (Exception x)
{
LastErrorMessage = x.Message;
}
finally
{
standardConfig = null;
standardConnectionStringsSection = null;
standardAppSettingsSection = null;
}
}
/// <summary>
/// Protect the Web.Config
/// </summary>
public void ProtectWebConfig()
{
Configuration standardConfig = null;
ConnectionStringsSection standardConnectionStringsSection = null;
AppSettingsSection standardAppSettingsSection = null;
try
{
standardConfig = WebConfigurationManager.OpenWebConfiguration("~");
// Get the connection strings section
standardConnectionStringsSection = (ConnectionStringsSection)standardConfig.GetSection("connectionStrings");
standardAppSettingsSection = (AppSettingsSection)standardConfig.GetSection("appSettings");
// Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
if (!standardConnectionStringsSection.SectionInformation.IsProtected)
standardConnectionStringsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
// Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
if (!standardAppSettingsSection.SectionInformation.IsProtected)
standardAppSettingsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
// Save the configuration section within protected data
standardConnectionStringsSection.SectionInformation.ForceSave = true;
standardAppSettingsSection.SectionInformation.ForceSave = true;
standardConfig.Save();
}
catch (Exception x)
{
LastErrorMessage = x.Message;
}
finally
{
standardConfig = null;
standardConnectionStringsSection = null;
standardAppSettingsSection = null;
}
}
NOTES:
The config file can ONLY be used on the machine it is protected on. Once a file is protected, trying to copy the protected file to another machine and use it will not work.