web.config security

Discussion in 'ASP .Net Security' started by 7777, Jul 15, 2009.

  1. 7777

    7777 Guest

    Hello, other than a db connection string being in the 'web.config' file, are
    there any other configuration settings within this file to be cautious as a
    security risk? Thanks in advance.
     
    7777, Jul 15, 2009
    #1
    1. Advertising

  2. Hi 7777,

    Normally the answer is NO. However, it all depends on the developers. You
    can store very critical information using appSettings, etc. No one can
    guarantee you that there cannot be any other critical information inside
    web.config. Smtp settings might also be considered as critical if you set
    any kind of SMTP authentication criteria within the web.config file.


    --
    Coskun Sunali
    Microsoft MVP - ASP.NET
    http://sunali.com
    http://propeople.dk

    "7777" <> wrote in message
    news:...
    > Hello, other than a db connection string being in the 'web.config' file,
    > are there any other configuration settings within this file to be cautious
    > as a security risk? Thanks in advance.
    >
     
    Coskun Sunali [MVP], Jul 23, 2009
    #2
    1. Advertising

  3. 7777

    7777 Guest

    Thanks for your reply Coskun much appreciated. So sorry for the delay as
    much going on. Have another question in that what is the best security
    practice for asp.net apps which includes it's web.config file in that is it
    ok to place all of these app's files in the
    'c:\Inetpub\wwwroot\ASPNET_TestApplicationFolder\' location as an
    example?...or is it better to place the folder and files elsewhere?...should
    it be encrypted?



    "Coskun Sunali [MVP]" <> wrote in message
    news:...
    > Hi 7777,
    >
    > Normally the answer is NO. However, it all depends on the developers. You
    > can store very critical information using appSettings, etc. No one can
    > guarantee you that there cannot be any other critical information inside
    > web.config. Smtp settings might also be considered as critical if you set
    > any kind of SMTP authentication criteria within the web.config file.
    >
    >
    > --
    > Coskun Sunali
    > Microsoft MVP - ASP.NET
    > http://sunali.com
    > http://propeople.dk
    >
    > "7777" <> wrote in message
    > news:...
    >> Hello, other than a db connection string being in the 'web.config' file,
    >> are there any other configuration settings within this file to be
    >> cautious as a security risk? Thanks in advance.
    >>
     
    7777, Sep 2, 2009
    #3
  4. On Sep 2, 2:41 am, "7777" <> wrote:
    > Thanks for your reply Coskun much appreciated.  So sorry for the delay as
    > much going on.  Have another question in that what is the best security
    > practice for asp.net apps which includes it's web.config file in that is it
    > ok to place all of these app's files in the
    > 'c:\Inetpub\wwwroot\ASPNET_TestApplicationFolder\' location as an
    > example?...or is it better to place the folder and files elsewhere?...should
    > it be encrypted?
    >
    > "Coskun Sunali [MVP]" <> wrote in messagenews:...
    >
    >
    >
    > > Hi 7777,

    >
    > > Normally the answer is NO. However, it all depends on the developers. You
    > > can store very critical information using appSettings, etc. No one can
    > > guarantee you that there cannot be any other critical information inside
    > > web.config. Smtp settings might also be considered as critical if you set
    > > any kind of SMTP authentication criteria within the web.config file.

    >
    > > --
    > > Coskun Sunali
    > > Microsoft MVP - ASP.NET
    > >http://sunali.com
    > >http://propeople.dk

    >
    > > "7777" <> wrote in message
    > >news:...
    > >> Hello, other than a db connection string being in the 'web.config' file,
    > >> are there any other configuration settings within this file to be
    > >> cautious as a security risk?  Thanks in advance.- Hide quoted text -

    >
    > - Show quoted text -


    How do you want to encrypt the entire folder? A proper Windows
    security must be applied to the folder where the website located. Look
    for "iis security" on Microsoft's site. There are many articles about
    this topic.
     
    Alexey Smirnov, Sep 4, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?RGFuaWVs?=

    Machine.config & web.config

    =?Utf-8?B?RGFuaWVs?=, Jan 18, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    13,363
    Hermit Dave
    Jan 18, 2004
  2. =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=

    Web.Config Get Config settings at runtime.

    =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=, Feb 5, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,276
    Kevin Spencer
    Feb 6, 2004
  3. Benny Ng
    Replies:
    9
    Views:
    10,005
    Benny Ng
    Oct 13, 2005
  4. CSharpner
    Replies:
    0
    Views:
    1,063
    CSharpner
    Apr 9, 2007
  5. huoge
    Replies:
    0
    Views:
    178
    huoge
    Jul 11, 2003
Loading...

Share This Page