Securing App.Config

Topics: Security Application Block
Feb 8, 2007 at 7:52 PM
Is there a way to secure App.Config so that it cannot be tampered with? Specifically with the config entries describing user roles and the actions they are allowed to perform. Is the only true way to secure application configuration info is to store this in the DB, or can the app.config file be 'locked down' somehow. I'm less concered with people being able to view the info in there as I am about them being able to directly edit the app.config to change the role/action rules.
Feb 8, 2007 at 10:00 PM
I don't believe the .NET Framework has any built-in support for signing configuration files (and EntLib definitely doesn't). However this should be something you could code yourself using the crypto APIs. Basically you'd want to generate a signature for the config file using a private key, and you could make the public key available to the application for verifying the signature. It would probably be most practical to store the signature ouside of the config file, as this will make it much easier to do the signing and verification.

I'm not a crypto expert so I can't provide details, but hopefully this will give you some clues to get started.

Tom