--参考:https://blog.darkthread.net/blog/mechinekey-hack-and-protection/
--参考:https://www.cnblogs.com/txwsh1/archive/2007/05/16/748993.html
--参考:https://cloud.tencent.com/developer/article/1028328
参考:https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/k6h9cz8h(v=vs.80)
--管理员权限 CMD
1.cd /d C:\Windows\Microsoft.NET\Framework\v4.0.30319 --64位和32位 目录不同
--为本机创建 RSA 密钥,exp可导出
2.aspnet_regiis -pc "MichaelRsaKeys" -exp
--导出 RSA 到 D:\MichaelRsaKeys.xml
3.aspnet_regiis.exe -px "MichaelRsaKeys" "D:\MichaelRsaKeys.xml"
--web.config configuration节点下 添加节点 <configProtectedData>
4.<configProtectedData defaultProvider="FormAuthLabRsaKey">
<providers>
<add name="FormAuthLabRsaKey" --provider名称 后面加密需要用到
keyContainerName="MichaelRsaKeys" --第一步产生的Key名称
useMachineContainer="true"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
--为网站添加 MichaelRsaKeys认证容器
--aspnet_regiis -pa "MichaelRsaKeys" "IIS APPPOOL\网站应用程序池名称"
--pef:加密
5.aspnet_regiis -pef system.web/machineKey 网站目录 -prov FormAuthLabRsaKey
--pdf:解密
6.aspnet_regiis -pdf system.web/machineKey 网站目录
--------------------------------------服务器部署-----------------------------------------------
a.部署到远程服务器(1台或多台)
将网站文件与MichaelRsaKeys.xml(也就是导出的RSA容器文件)先上传到服务器,同时导入RSA
aspnet_regiis -pi "MichaelRsaKeys" "D:\MichaelRsaKeys.xml"
b.确认服务器上aspx登录所用的默认帐号
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
随便建一个aspx,把上一行代码贴到里面就可以了,IIS5环境下输出的是ASPNET,IIS6环境下输出的是NETWORK SERVICE,IIS7下没试过也不知道输出的是啥玩意儿
c.授于RSA窗口的读取权限给b中的默认帐号
II7.0
aspnet_regiis -pa "MichaelRsaKeys" "IIS APPPOOL\网站应用程序池名称" -full
aspnet_regiis -pa "MichaelRsaKeys" "NT AUTHORITY\NETWORK SERVICE"
aspnet_regiis -pa "MichaelRsaKeys" "NT AUTHORITY\IUSR"
aspnet_regiis -pa "MichaelRsaKeys" "NT AUTHORITY\SYSTEM"
IIS6
aspnet_regiis -pa "MichaelRsaKeys" "NETWORK SERVICE"
d.授权完以后再进行pef加密,pdf解密
aspnet_regiis -pef system.web/machineKey 网站目录 -prov FormAuthLabRsaKey
--------------------------------------bat------------------------------------------------------------
1.本机bat(新建RSA容器,导出容器,加密web.config)
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pz "MichaelRsaKeys"
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pc "MichaelRsaKeys" -exp
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -px "MichaelRsaKeys" "D:\MichaelRsaKeys.xml"
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef "appSettings" "D:\website" -prov "FormAuthLabRsaKey"
2.远程服务器bat(导入RSA容器,授权)
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pi "MichaelRsaKeys" "D:\MichaelRsaKeys.xml"
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pa "MichaelRsaKeys" "NETWORK SERVICE"