identity impersonation definition in web.config

Discussion in 'ASP .Net Security' started by Saqib Ali, Feb 1, 2007.

  1. Saqib Ali

    Saqib Ali Guest

    I have some security concerns over storing a Active Directory username/
    passwd in a text based web.config file for the identity impersonation
    definition.

    I know that web.conf is not accessible via the web browser, however
    someone with account on the server can get to the file and steal the
    credentials.

    Is there a way to hash the username/password for identity
    impersonation definition, or define it elsewhere where it is not
    accessible to the server administrator/operators?

    Thanks
    saqib
    http://www.full-disk-encryption.net
    Saqib Ali, Feb 1, 2007
    #1
    1. Advertising

  2. Saqib Ali

    bruce barker Guest

    yes. see aspnet_regiis.exe utility. also if you use iis 6.0 you can use
    an application pool instead of specifying the impersonation in web.config.

    -- bruce (sqlwork.com)

    Saqib Ali wrote:
    > I have some security concerns over storing a Active Directory username/
    > passwd in a text based web.config file for the identity impersonation
    > definition.
    >
    > I know that web.conf is not accessible via the web browser, however
    > someone with account on the server can get to the file and steal the
    > credentials.
    >
    > Is there a way to hash the username/password for identity
    > impersonation definition, or define it elsewhere where it is not
    > accessible to the server administrator/operators?
    >
    > Thanks
    > saqib
    > http://www.full-disk-encryption.net
    >
    bruce barker, Feb 1, 2007
    #2
    1. Advertising

  3. You can encrypt certain web.config sections with RSA and other protocols.
    I doubt the <identity--> element is one of them, but you could certainly
    store the information in an encryptable one provided you can figure out a way
    to set the credentials of your app programatically using this info.

    If anybody with "an account" on the server could cause you so much grief,
    maybe its time to review your whole security paradigm.
    Peter

    --
    Site: http://www.eggheadcafe.com
    UnBlog: http://petesbloggerama.blogspot.com
    Short urls & more: http://ittyurl.net




    "Saqib Ali" wrote:

    > I have some security concerns over storing a Active Directory username/
    > passwd in a text based web.config file for the identity impersonation
    > definition.
    >
    > I know that web.conf is not accessible via the web browser, however
    > someone with account on the server can get to the file and steal the
    > credentials.
    >
    > Is there a way to hash the username/password for identity
    > impersonation definition, or define it elsewhere where it is not
    > accessible to the server administrator/operators?
    >
    > Thanks
    > saqib
    > http://www.full-disk-encryption.net
    >
    >
    Peter Bromberg [C# MVP], Feb 1, 2007
    #3
  4. If you are using .Net 2.0 you can in fact encrypt the username and password
    but you have to keep in mind it would still get decrypted to be used. Any
    text in memory can actually be seen by other code if code security is not
    carefully planned. All text ends up in memory so unencrypting it is
    superficial. I'd make sure my file security prevents access to that web
    config file.

    If you are concerned about saving the password in the config file you may
    actually have a much bigger problem. No one should have access to that file
    in production other than an administrator.

    What I sometimes prefer to do is have an administrator actually use what is
    know as cached credentials and manually enter the account information that
    the application will run under. The operating system will actually use
    operating system level encryption to store the credentials.

    You'll have to hunt down the exact admin steps to set that up becuase it
    depends on your situation.

    Hope it helps,
    Timothy Paul Narron

    "Saqib Ali" <> wrote in message
    news:...
    >I have some security concerns over storing a Active Directory username/
    > passwd in a text based web.config file for the identity impersonation
    > definition.
    >
    > I know that web.conf is not accessible via the web browser, however
    > someone with account on the server can get to the file and steal the
    > credentials.
    >
    > Is there a way to hash the username/password for identity
    > impersonation definition, or define it elsewhere where it is not
    > accessible to the server administrator/operators?
    >
    > Thanks
    > saqib
    > http://www.full-disk-encryption.net
    >
    Timothy Paul Narron, Feb 1, 2007
    #4
  5. I am a bit new to this whole process. Where can I find more info about the
    identity impersonation. I know how to set it up (heck, I have to set it up.
    otherwise when I publish my site it won't work).

    My question is, why do I have to do this to begin with?

    If I remember correctly, I did not have to do it until I went ahead and
    encrypted the web.config file. At that point the published site did not
    work anymore, unless I impersonated a user, even though I unencrypted the
    web.config file






    "Saqib Ali" <> wrote in message
    news:...
    >I have some security concerns over storing a Active Directory username/
    > passwd in a text based web.config file for the identity impersonation
    > definition.
    >
    > I know that web.conf is not accessible via the web browser, however
    > someone with account on the server can get to the file and steal the
    > credentials.
    >
    > Is there a way to hash the username/password for identity
    > impersonation definition, or define it elsewhere where it is not
    > accessible to the server administrator/operators?
    >
    > Thanks
    > saqib
    > http://www.full-disk-encryption.net
    >
    Joseph I. Ceasar, Mar 6, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Giovanni Bassi
    Replies:
    0
    Views:
    644
    Giovanni Bassi
    Oct 20, 2003
  2. Wm. Scott Miller
    Replies:
    3
    Views:
    7,261
    Jim Cheshire [MSFT]
    Jun 1, 2004
  3. Saqib Ali
    Replies:
    4
    Views:
    698
    Joseph I. Ceasar
    Mar 6, 2007
  4. JimLad
    Replies:
    0
    Views:
    447
    JimLad
    Jan 16, 2009
  5. Frederick D'hont
    Replies:
    0
    Views:
    306
    Frederick D'hont
    Jul 25, 2005
Loading...

Share This Page