Write access to web.config

Discussion in 'ASP .Net Security' started by Dominick Baier, Dec 24, 2004.

  1. in short : don't do it

    or..

    it is not a good choice to modify web.config because

    - your opening up to all kind of other security issues if your worker process has write access to web.config (thats a defense in depth measure) - then you have to be VERY shure that the rest of your app is based on rock-solid code

    - your asp.net app will restart everytime you modify web.config

    if you really want to modify web.config - refactor out that code - package it in a serviced component (com+) and give this component a seperate identity which is allowed to modify web.config -

    but my suggestion would be :

    there is an event in the http pipeline of asp.net that's specifically made for this purpose - AuthorizeRequest - there you can plug in your code to programmatically decide who is authorized or not (from an alternate data store like an xml file or db)

    don't mess with web.config (and its dacls) !



    ---
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>

    What are the security risks to grant ASP.NET user write access to web.config?
    I am working on a project in which I am required to update web.config at the
    runtime, basically modifying access to different directories.

    Any suggestion will be greatly appreciated.

    Thanks

    [microsoft.public.dotnet.framework.aspnet.security]
    Dominick Baier, Dec 24, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KQ
    Replies:
    1
    Views:
    450
  2. Benny Ng
    Replies:
    9
    Views:
    9,939
    Benny Ng
    Oct 13, 2005
  3. CSharpner
    Replies:
    0
    Views:
    1,012
    CSharpner
    Apr 9, 2007
  4. Asim

    Write access to web.config

    Asim, Dec 23, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    166
    Patrick Olurotimi Ige
    Dec 28, 2004
  5. Tim Chase
    Replies:
    0
    Views:
    88
    Tim Chase
    Dec 16, 2013
Loading...

Share This Page