September 17, 2010 Microsoft issued a Security Advisory
Vulnerability in ASP.NET
This not the first time, nor will it be the last time.
Who is responsible for the security of your Web Site?
MojoPortal has a lot of documentation on Securing MojoPortal. They also have documentation on How and Why You Should Generate a Custom Machine Key.
However, in this blog post I am going to walk you through making a Custom machine key in crystal clear detail with all the pictures included.
First make sure you are logged in as administrator and go to the Administration Menu. If your screen looks like this and Security Advisor says “Needs Attention!” click Learn More. If it does not, stop reading for now and you are done.
In Administration, Click on the Security Advisor Link and the screen may look similar to this but without my yellow warnings.
The mojoPortal Security advisor checks two ASP.NET vulnerable areas in your mojoPortal installation.
1. Use a Custom Machine Key – This Blog.
2. Securing The File System – covered in my previous blog here.
If you are still with me here, I am assuming that the first check “Verify that a custom machine key is being used” also says “Danger – Not Secure”
VERY IMPORTANT – The first thing you should do is to check what your Web Sites Security Password Format is set to:
Go to Administration Menu > Site Settings, click on the Security Tab and on the Main sub tab check the “Password format” setting.
In order to safely change the machine key your Security Password format should be set to “Clear Text in db” OR “Hashed in db” as below.
Why is this so important? If we change the machine key with the passwords encrypted, we will not be able to login to our mojoPortal site after we change the machine key. This would be very bad. If you have lots of users and data in your mojoPortal databases and this scares you then you had better backup your database before you continue.
Ok. Now with your Security Password format set and saved to “Clear Text in db” OR “Hashed in db” we can go back to Administration Menu > Security Advisor.
In the editable text area, note the first 4 characters after <machineKey=
Then click the link “Generate a new Key”. Now wait and watch those first 4 characters after <machineKey=
and when they change you will now have a new key to enter into your sites web.config file which is a text file in the root of your mojoPortal Web Site. Select and copy all the text in the text box from the first left arrow < right to and including the ending right arrow >
Using ftp, copy your Web Sites web.config file to your local computer and open the file in notepad or whatever text editor you use.
Somewhere around line 675 of your web.config file, it will look something like this.
Do not delete or over-write the existing/old machine key yet. Move the comment tag –> below the key first like I have above in the first highlighted section. I like to keep the old key until I know for sure that the new key works and allows me to login to the Web Site successfully.
The bottom highlighted line above is where I pasted in my new machine key. Make sure the new pasted key is complete including the closing arrow tag >
After this is done, saved the web.config file and ftp it back to your mojoPortal Web Site.
*** Keep this new web.config and new machine key FOREVER! What I mean is… If you ever upgrade mojoPortal (and you will) the web.config file in the upgrade will need this new machine key change too. Keep this new machine key in a safe place. It is the key to your database login forever. IF you lose it you may be locked out of your mojoPortal CMS
VERY IMPORTANT – Access your Web Site and test logging in. If you can not login, you have done something wrong. Review the steps above and if all fails, restore your old commented machine key line in your web.config file.
If you want more security (and you should) you should now go back to Administration Menu > Site Settings, click on the Security Tab and on the Main sub tab change the “Password format”. With a new secure machine key working for you, it is now safe to set this to “Encrypted in db” and click save.
That’s it. You’re done.
Take Care and Happy Hosting.