SQL Membership Provider - should this be encrypted in web.config

Discussion in 'ASP .Net' started by JimLad, Dec 15, 2009.

  1. JimLad

    JimLad Guest

    Hi,

    I haven't seen anything anywhere suggesting this section should be
    encrypted, but it looks to be like a prime hacking location (set
    passwords to cleartext, set unlimited retries etc...)

    Should this section be encrypted in addition to impersonation and
    connectionstrings sections?

    Any other sections that should be encrypted?

    Cheers,

    James
     
    JimLad, Dec 15, 2009
    #1
    1. Advertising

  2. JimLad <> wrote in news:5558498d-fc26-4221-8031-
    :

    > I haven't seen anything anywhere suggesting this section should be
    > encrypted, but it looks to be like a prime hacking location (set
    > passwords to cleartext, set unlimited retries etc...)


    Connection strings which contain passwords? I am with Mark on this one.

    Other sections? No. It just adds weight to the app with no discernable
    safety increase. A hacker knows the web connection string name is
    MySiteConnectionString? So what?

    I would suggest that you not name the string LocalSqlServer if the SQL
    Server is really local, as they will try to hack there. Also don't use
    the alias ServerNameConnectionString, where ServerName is the actual
    name of the server, as that gives a hacker the name of a server in your
    network that contains data.

    If I saw ZeusConnectionString for an app named MotorcycleSales, I would
    assume you have servers named after Greek Gods, with Zeus as your
    database server. If I am in the network, I then search for Zeus on port
    1433 and see if you have password, p@ssword, blank, etc. as the sa
    password.

    Perhaps encryption is useful if you name things where you reveal the
    nature of the environment, but don't do that and it really does not add
    that much, as the hacker is already in your network if he is reading the
    config.

    App Settings is another thing, as you often reveal secrets about the app
    in app settings. Protect them. Conn strings, definitely, esp. if you use
    Windows Authentication. They have WAAAY too much info to be left open.

    realisitically, however, if the hacker has the .config, he owns the web
    server.

    Peace and Grace,

    --
    Gregory A. Beamer (MVP)

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Dec 15, 2009
    #2
    1. Advertising

  3. JimLad

    JimLad Guest

    On 15 Dec 2009, 21:52, "Gregory A. Beamer"
    <> wrote:
    > JimLad <> wrote in news:5558498d-fc26-4221-8031-
    > :
    >
    > > I haven't seen anything anywhere suggesting this section should be
    > > encrypted, but it looks to be like a prime hacking location (set
    > > passwords to cleartext, set unlimited retries etc...)

    >
    > Connection strings which contain passwords? I am with Mark on this one.
    >
    > Other sections? No. It just adds weight to the app with no discernable
    > safety increase. A hacker knows the web connection string name is
    > MySiteConnectionString? So what?
    >
    > I would suggest that you not name the string LocalSqlServer if the SQL
    > Server is really local, as they will try to hack there. Also don't use
    > the alias ServerNameConnectionString, where ServerName is the actual
    > name of the server, as that gives a hacker the name of a server in your
    > network that contains data.
    >
    > If I saw ZeusConnectionString for an app named MotorcycleSales, I would
    > assume you have servers named after Greek Gods, with Zeus as your
    > database server. If I am in the network, I then search for Zeus on port
    > 1433 and see if you have password, p@ssword, blank, etc. as the sa
    > password.
    >
    > Perhaps encryption is useful if you name things where you reveal the
    > nature of the environment, but don't do that and it really does not add
    > that much, as the hacker is already in your network if he is reading the
    > config.
    >
    > App Settings is another thing, as you often reveal secrets about the app
    > in app settings. Protect them. Conn strings, definitely, esp. if you use
    > Windows Authentication. They have WAAAY too much info to be left open.
    >
    > realisitically, however, if the hacker has the .config, he owns the web
    > server.
    >
    > Peace and Grace,
    >
    > --
    > Gregory A. Beamer (MVP)
    >
    > Twitter: @gbworld
    > Blog:http://gregorybeamer.spaces.live.com
    >
    > *******************************************
    > |      Think outside the box!             |
    > *******************************************


    Thanks all!

    James
     
    JimLad, Jan 20, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BS
    Replies:
    3
    Views:
    2,075
    Alvin Bruney [MVP]
    Jun 17, 2004
  2. Nate Hekman
    Replies:
    0
    Views:
    3,024
    Nate Hekman
    Apr 25, 2005
  3. sloan
    Replies:
    5
    Views:
    1,519
    sloan
    Jun 4, 2006
  4. sloan
    Replies:
    1
    Views:
    521
    Chad Scharf
    Jul 3, 2007
  5. news.microsoft.com

    Getting attributs for membership provider from web.config

    news.microsoft.com, Oct 12, 2005, in forum: ASP .Net Security
    Replies:
    5
    Views:
    595
    Roel Veldhuizen
    Oct 12, 2005
Loading...

Share This Page