Protect the connection string passwords from unauthorized access

Abstract

How to use the ASP.NET IIS regstration tool to encrypt sensitive Sitecore passwords from unauthorized access.

Sitecore stores passwords in the App_Config\ConnectionStrings.config file. We recommend that you encrypt this file to prevent the passwords from being exposed if the file is accessed without authorization.

This topic applies to all Core roles and XP Service roles except xConnect Search Indexer, Sitecore Cortex™ Blob Storage service, and Sitecore Cortex™ Table Storage service.

Important

This procedure is only compatible with Sitecore 9.2 and earlier. If you want to encrypt the connection strings on Sitecore 9.3 or later or experience any issues with the Microsoft ASP.NET RegIIS library, we recommend that you contact Microsoft.

To protect connection string passwords:

  1. Locate the ASP.NET IIS registration tool (aspnet_regiis) by executing the following PowerShell command:

    Get-ChildItem C:\Windows\Microsoft.net\ -Recurse aspnet_regiis.exe | select FullName

    The command probably finds several versions of the tool. You must select the latest version:

    FullName
    --------
    C:\Windows\Microsoft.net\Framework\v2.0.50727\aspnet_regiis.exe
    C:\Windows\Microsoft.net\Framework\v4.0.30319\aspnet_regiis.exe
    C:\Windows\Microsoft.net\Framework64\v2.0.50727\aspnet_regiis.exe
    C:\Windows\Microsoft.net\Framework64\v4.0.30319\aspnet_regiis.exe
  2. Use the aspnet_regiis tool with the -pef option to encrypt the connection strings:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"

    Important

    You must not end the path to your website folder with a backslash (for example, C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER\) because this makes the aspnet_regiis tool fail.

If you want to decrypt the passwords, you can repeat the PowerShell command with the -pef option changed to -pdf:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pdf "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"

You must separately encrypt the connectionStrings.config file on each computer that you install Sitecore on. For more information on the aspnet_regiis tool, see Microsoft documentation on the ASP.NET IIS Registration Tool.

In a PaaS environment, you can protect your connection strings values by moving the raw connection string value to to the AppService connection string section.

To secure connection strings in PAAS deployments using Kudu:

  1. Go to App Service, Development Tools, and click Advanced Tools.

    Open Kudu
  2. Click Debug console, Powershell, navigate to site/wwwroot/App_config and open the ConnectionStrings.config file.

    Open Debug console
  3. In the ConnectionStrings.config file, cut the values from the database connection strings and click Save. For example, remove the values for core, master, security, and web:

    Remove the values
  4. Open the App Service and navigate to Settings, Configuration, and then in the Connection strings section, click New connection string. Add connection strings for all the databases that you want and click OK.

    Add new connection string
  5. Click Save to apply the changes.

    Connection strings in AppService