identity impersonation definition in web.config

[Saqib Ali]

I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

 

[bruce barker]

yes. see aspnet_regiis.exe utility. also if you use iis 6.0 you can use
an application pool instead of specifying the impersonation in web.config.

-- bruce (sqlwork.com)

 

[Guest]

You can encrypt certain web.config sections with RSA and other protocols.
I doubt the <identity--> element is one of them, but you could certainly
store the information in an encryptable one provided you can figure out a way
to set the credentials of your app programatically using this info.

If anybody with "an account" on the server could cause you so much grief,
maybe its time to review your whole security paradigm.
Peter

 

[Timothy Paul Narron]

If you are using .Net 2.0 you can in fact encrypt the username and password
but you have to keep in mind it would still get decrypted to be used. Any
text in memory can actually be seen by other code if code security is not
carefully planned. All text ends up in memory so unencrypting it is
superficial. I'd make sure my file security prevents access to that web
config file.

If you are concerned about saving the password in the config file you may
actually have a much bigger problem. No one should have access to that file
in production other than an administrator.

What I sometimes prefer to do is have an administrator actually use what is
know as cached credentials and manually enter the account information that
the application will run under. The operating system will actually use
operating system level encryption to store the credentials.

You'll have to hunt down the exact admin steps to set that up becuase it
depends on your situation.

Hope it helps,
Timothy Paul Narron

 

[Joseph I. Ceasar]

I am a bit new to this whole process. Where can I find more info about the
identity impersonation. I know how to set it up (heck, I have to set it up.
otherwise when I publish my site it won't work).

My question is, why do I have to do this to begin with?

If I remember correctly, I did not have to do it until I went ahead and
encrypted the web.config file. At that point the published site did not
work anymore, unless I impersonated a user, even though I unencrypted the
web.config file