Write access to web.config

D

Dominick Baier

in short : don't do it

or..

it is not a good choice to modify web.config because

- your opening up to all kind of other security issues if your worker process has write access to web.config (thats a defense in depth measure) - then you have to be VERY shure that the rest of your app is based on rock-solid code

- your asp.net app will restart everytime you modify web.config

if you really want to modify web.config - refactor out that code - package it in a serviced component (com+) and give this component a seperate identity which is allowed to modify web.config -

but my suggestion would be :

there is an event in the http pipeline of asp.net that's specifically made for this purpose - AuthorizeRequest - there you can plug in your code to programmatically decide who is authorized or not (from an alternate data store like an xml file or db)

don't mess with web.config (and its dacls) !



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>

What are the security risks to grant ASP.NET user write access to web.config?
I am working on a project in which I am required to update web.config at the
runtime, basically modifying access to different directories.

Any suggestion will be greatly appreciated.

Thanks

[microsoft.public.dotnet.framework.aspnet.security]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top