Re: web.config location
From: Curt_C [MVP] (software_AT_darkfalz.com)
Date: 05/12/04
- Next message: Stan Sainte-Rose: "Re: Exception from HRESULT: 0x800AC352"
- Previous message: Curt_C [MVP]: "Re: iframe src max length"
- In reply to: mike: "Re: web.config location"
- Next in thread: mike: "Re: web.config location"
- Reply: mike: "Re: web.config location"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 May 2004 13:33:51 -0500
we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}
-- Curt Christianson Owner/Lead Developer, DF-Software Site: http://www.Darkfalz.com Blog: http://blog.Darkfalz.com "mike" <someone@somewhere.com> wrote in message news:%23Z35kxEOEHA.2244@tk2msftngp13.phx.gbl... > I agree - I see the web.config as a safe mechanism for storing data - I > would feel safer if registry keys are used for configuration strings and > maybe a few other things. But if there is a guarantee that the config > cannot be served and it has file level security against it being viewed by > just anyone, I dont think that you can offer any more security - I believe > the security policy for gov't apps just has not evolved to the .NET > application and we are struggling with that transition period.... > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message > news:udvJTlEOEHA.1276@TK2MSFTNGP11.phx.gbl... > > but in that rationale NOTHING is secure. Since the web.config is text it > has > > a security risk, but the thing is they would need file level access to the > > server, which if they have the contents of the web.config are irrelevant > > anyway since they can already do/see what they want reguardless of where > it > > is. > > > > -- > > Curt Christianson > > Owner/Lead Developer, DF-Software > > Site: http://www.Darkfalz.com > > Blog: http://blog.Darkfalz.com > > > > > > "mike" <someone@somewhere.com> wrote in message > > news:uKQdzMEOEHA.2716@tk2msftngp13.phx.gbl... > > > well that appears to be something that we will have to explore - > petition > > to > > > have it be allowed, but that would only get us for the specific .NET > > > functionality. Application stuff would still need to be sent off to > > another > > > config file... > > > > > > I would think they would have to know since they will be hosting this > > site. > > > BUT I just think they are being difficult right now... > > > > > > the other thing is that in certain places, Microsoft has said that the > > > web.config is not enitirely secure because connection strings, assembly > > > information and such can be put in there. As soon as a gov't agency > sees > > > "not secure" they say no, no matter what the reasoning or information is > > > behind that claim. > > > > > > > > > "William F. Robertson, Jr." <wfrobertson@kpmg.com> wrote in message > > > news:OMpr%23AEOEHA.484@TK2MSFTNGP10.phx.gbl... > > > > Does the government agency understand that it is hard coded into IIS > not > > > to > > > > server web.config files, ever, never, forever? > > > > > > > > bill > > > > > > > > (or atleast that is the tout by Microsoft) > > > > > > > > "mike" <someone@somewhere.com> wrote in message > > > > news:O%2385tgDOEHA.3832@TK2MSFTNGP10.phx.gbl... > > > > > Part of the clients requirement is that all config files must be > > located > > > > > outside of the web directory. > > > > > > > > > > DoD and government orgs seems to not like configuration files > anywhere > > > > near > > > > > the virtual directory for security reasons. > > > > > > > > > > you would have thought that MS would have allowed you to specify a > > path > > > to > > > > > where that is.... > > > > > > > > > > I am at a loss as to what to do now... I have a lot of things that > > use > > > > the > > > > > web.config. > > > > > > > > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message > > > > > news:e8fM%23cDOEHA.620@TK2MSFTNGP10.phx.gbl... > > > > > > no. > > > > > > it MUST be in the root of the site/vd. > > > > > > You can have more of them in subsequent folders to override > settings > > > > > though. > > > > > > Why though? why move it out of the site? It's not accessible from > > the > > > > > > outside > > > > > > > > > > > > -- > > > > > > Curt Christianson > > > > > > Owner/Lead Developer, DF-Software > > > > > > Site: http://www.Darkfalz.com > > > > > > Blog: http://blog.Darkfalz.com > > > > > > > > > > > > > > > > > > "mike" <someone@somewhere.com> wrote in message > > > > > > news:ujqlaYDOEHA.3380@TK2MSFTNGP11.phx.gbl... > > > > > > > Is it possible to move the web.config out of the application > > folder? > > > > I > > > > > > > would like it off somewhere out of the web directory > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Stan Sainte-Rose: "Re: Exception from HRESULT: 0x800AC352"
- Previous message: Curt_C [MVP]: "Re: iframe src max length"
- In reply to: mike: "Re: web.config location"
- Next in thread: mike: "Re: web.config location"
- Reply: mike: "Re: web.config location"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
