security on the web.config file

  • Thread starter Thread starter Keith Henderson
  • Start date Start date
K

Keith Henderson

I have a web site that doesn't use SSL. It is running the 1.1 version of
the Dotnet Framework. In my web.config file I have added some data for
connection strings and also I'm using identity impersonate set to true, so
in my web.config it contains names and passwords for the domain and in
connection strings. I believe this is probably very unsafe or is it not
unsafe. Should I be concerned? Can the entire web.config be encrypted? If
I should encrypt it, can someone in this group provide some code samples and
links?
 
AS far as i know you cannot encrypt the web.config file.

Security wise, the .config file can only we accessed from the server it
resides on ... i.e. it cannot be accessed through a web browser.
So as long as no one has access to that server (either via a network share,
or physically using the computer itself), then no one will be able to view
that web.config file making it perfectly safe . After all , you are putting
your database connection string in there.

If you would prefer this to leave the user account information outside of
the web.config file, you can create an account with just the rights needed
for the app., and no other privalages on the server on which it resides.

Furthermore, Why are you impersonating a user, are their files on that box
that the app needs to access, by default asp.net uses the IIS user created
on installing the .NET framework. That should be sufficient to access
whatever is required on the application (unless maybe accessing network
shares or writing to folders outside of the application). That way you don't
need to list the user account details in the web.config file at all.

I hope that sheds some light on your problem

Regards

Grant
 
Thanks, the reason I use the impersonate is the web site will allow
uploading of files based on conditions. Those conditions also indicate
different network shares on multiple servers so the impersonated account has
write-rights to different folders around the network. So the local IIS
account has no rights on those other servers, instead we use a domain
account.

thank you Grant. I will not encrypt the file or the data then because only
admins have rights to see the web.config.
 
Hi Keith:

As Grant pointed out the web.config file won't be available to a
remote client through the web.

There are some additional precautions you can take, because plaintext
passwords in web.config are risky.

You can perform encryption on any of the appSettings you use by
rolling some of your own code. See:

How To Use DPAPI (Machine Store) from ASP.NET
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod22.asp

For impersonation passwords you can use setreg:
How To Use the ASP.NET Utility to Encrypt Credentials and Session
State Connection Strings
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

HTH,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SqlDataAdapter from web.config 1
The value of web.config RSA encryption 3
How secured is the ASP.NET 2.0 web.config encryption? 1
web.config and Anonymous Authentication problems ??? 0
Impersonating and Windows Authentication 1
Web.config Encryption 2
Web.config vs Machine.config 1
encrypting config file that aren't web config files... 1

Back
Top