Re: security on the web.config file

From: GrantMagic (grant_at_magicalia.com)
Date: 09/22/04 

Date: Wed, 22 Sep 2004 14:02:14 +0100

AS far as i know you cannot encrypt the web.config file.

Security wise, the .config file can only we accessed from the server it
resides on ... i.e. it cannot be accessed through a web browser.
So as long as no one has access to that server (either via a network share,
or physically using the computer itself), then no one will be able to view
that web.config file making it perfectly safe . After all , you are putting
your database connection string in there.

If you would prefer this to leave the user account information outside of
the web.config file, you can create an account with just the rights needed
for the app., and no other privalages on the server on which it resides.

Furthermore, Why are you impersonating a user, are their files on that box
that the app needs to access, by default asp.net uses the IIS user created
on installing the .NET framework. That should be sufficient to access
whatever is required on the application (unless maybe accessing network
shares or writing to folders outside of the application). That way you don't
need to list the user account details in the web.config file at all.

I hope that sheds some light on your problem

Regards

Grant

"Keith Henderson" <khenderson@projectresources.nospam.com> wrote in message
news:OOccR7JoEHA.708@TK2MSFTNGP09.phx.gbl...
>I have a web site that doesn't use SSL. It is running the 1.1 version of
>the Dotnet Framework. In my web.config file I have added some data for
>connection strings and also I'm using identity impersonate set to true, so
>in my web.config it contains names and passwords for the domain and in
>connection strings. I believe this is probably very unsafe or is it not
>unsafe. Should I be concerned? Can the entire web.config be encrypted?
>If I should encrypt it, can someone in this group provide some code samples
>and links?
>

Relevant Pages

  • Re: Login Failures
    ... What is the user account "msmith"? ... please check the SBS Server and the client computer from ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: A cryptography solution for a client/server winforms app
    ... good idea if you want to learn crypto. ... you control both the client and server, you don't even need to use a ... code the client to ignore certificate trust errors. ... encrypt the memory stream. ...
    (microsoft.public.dotnet.security)
  • Re: A cryptography solution for a client/server winforms app
    ... You could use a self-signed cert deployed with the server ... code the client to ignore certificate trust errors. ... generate a hash value for the data in the memory stream. ... encrypt the memory stream. ...
    (microsoft.public.dotnet.security)
  • Re: Testing email
    ... Internet Connection wizard -> Connect to the internet) to configure mail ... Click Start, click Server Management. ... pop3 server information, user account, mailbox type and so on. ... the issue and send the log files to me: ...
    (microsoft.public.exchange.admin)
  • Re: Encrypted files do they work for backups?
    ... I'm going to test it out myself on my own test SBS Server. ... >>If I use the administrator account, and I encrypt it EFS on a External ... >>> format you need the private key to decrypt the files ... do you have the recovery agent Encrypting File ...
    (microsoft.public.windows.server.sbs)