How to secure BE.NET?

Topics: Business Logic Layer
Dec 31, 2010 at 12:14 AM

I'm installing/setting up BE.NET 2.0 RC and I have some questions about how to secure my blog before I upload it to my hosting provider.  I'm using SQL Server 2008 R2 to store my data.  So, here are my questions.

  1. Web.config: How to I encrypt web.config to protect my connectionString (the SQL account and pwd are stored as clear text)?
  2. Email: I see that dbo.be_Settings table stores the Settings\Email settings as clear text (including my account and pwd).  Since this is stored in the database, I assume that this data is safe if I can encrypt web.config.  Howerever, how do protect the email login information in transmission to my email server?  I see the <label for="ctl00_cphAdmin_cbEnableSsl">Enable SSL option, but no details on how to configure this option.</label>
  3. Users: I see my users storted in dbo.be_Users and the password is hashed.  Again, I assume that this data is protected in my database if I encrypt web.config to protect my connectionString.  But, how do I protect the login information when I log into BE.NET from the login.aspx page?   There doesn't seem to be a SSL option.
  4. XML Data: I noticed that even though I am using SQL Server to store my data, there are still files in the App_Data, like the users.xml file (which has the default admin defined).  What can I do to get rid of this data I'm not using (delete files when the data is stored in SQL, remove XmlBlogProvider if not really needed, etc.)? 
  5. Windows Live Writer/MetaWeblog API: Again, I don't want my account information going over the wire as clear text.  I see the option to <label for="ctl00_cphAdmin_cbRequireSslForMetaWeblogApi">Require SSL for MetaWeblog API, but no details on how to set it up.  What can I do to protect my login info when using WLW?</label>

Thanks in advance.

Mayo.