• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

web.config security

I have a web.config file thet contains the connection string to a SQL Server 2005 database using SQL Server authentication and therefore contains the username and password stored in the web.config xml file.

The web.config is in the root of my website. Is this secure? I have a folder one level up called 'private' where stuff like access databases reside. Should the web.config be stored in there? and if so, how do I tell my aspx pages it has moved?

Advice required please
0
Swn-Y-Mor
Asked:
Swn-Y-Mor
  • 2
  • 2
  • 2
  • +3
2 Solutions
 
TMarkham1Commented:
It's "psuedo-secure"... meaning that it doesn't get served by the server.

Your best bet is to encrypt the configuration section however.

http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
0
 
RobertNZanaCommented:
Yes it's safe. As long as the config file types doesn't get served up you are fine. :)
0
 
Omego2KCommented:
It's secure as long as nobody has access to that web.config file that shouldn't have access to it. Otherwise you may want to encrypt it. Here is an example:

http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

Although anybody access to the web.config can use the key to decrypt it, even if you hard code anybody access to the source can do this. Even obfuscated assemblies if they had the time.

The web.config needs to be in the root of the application. You can create your own config files outside the application and manually load/use them. However, the web application won't automatically use it. Where you keep the web site is up to you. My suggestion is keep it somewhere where people don't have easy access to it.

All in all if people have access to the web.config they have a high possibility of getting that connection string. So you should be worried about people seeing it more than people not being able to interpret it.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
Swn-Y-MorAuthor Commented:
Thanks so far. I'm not an experienced developer and so I will have to take some time to read your suggestions.

In the meantime ...

The web.config is in the root of my website. I have a folder one level up called 'private' - can I not move the web.config file into that so no one can get to it?
0
 
Maheshwar RSoftware DeveloperCommented:
no.. if u move.. it will give an error.. dont worry when u publish the website, the web.config file is encrypted and no can see ur connection string defined there..
0
 
Swn-Y-MorAuthor Commented:
OK Thanks for that omaheshwar.

I have read the links suggested above and I can see how encryption would ease my concerns.

Does anyone know of a step by step 'Connectionstring encryption for Dummies' tutorial, or would someone be prepared to write a step-by-step guide for me. I am a graphics designer who drags and drops in VS 2005 but definately not a coder :-(
0
 
Omego2KCommented:
The one I posted is step by step....
0
 
TMarkham1Commented:
...as was the one I posted (original reply on this thread). Don't let the plethora of information in the document intimidate you. It's really a pretty simple process to encrypt the config sections.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now