web.config location

[mike]

Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory

 

[Curt_C [MVP]]

no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings though.
Why though? why move it out of the site? It's not accessible from the
outside

 

[mike]

Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere near
the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use the
web.config.

 

[Curt_C [MVP]]

just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com

 

[mike]

fan-freaking-tastic - as you can tell I am excited by the notion of
stripping all that stuff out....

Thanks for your help....

 

[William F. Robertson, Jr.]

Does the government agency understand that it is hard coded into IIS not to
server web.config files, ever, never, forever?

bill

(or atleast that is the tout by Microsoft)

 

[mike]

well that appears to be something that we will have to explore - petition to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to another
config file...

I would think they would have to know since they will be hosting this site.
BUT I just think they are being difficult right now...

the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.

 

[Curt_C [MVP]]

but in that rationale NOTHING is secure. Since the web.config is text it has
a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where it
is.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com

 

[mike]

I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....

 

[Curt_C [MVP]]

we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com

 

[mike]

That is another thing that we have to do as part of the requirements. All
configuration files must be encrypted, so I am guessing the web.config would
be no exception.

Thanks again for the responses!