Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

/proc/kallsyms format, sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas

Links

XODOX
Impressum

#1: IIS ASP.NET configuration

Posted on 2008-04-01 07:31:28 by Ricky Chan

I just found that we can see the database connection string in plain text
via the IIS ASP.NET configuration even the connection string is encrypted in
web.config file. Is this a security hole?

Report this message

#2: Re: IIS ASP.NET configuration

Posted on 2008-04-01 15:11:05 by David Wang

On Mar 31, 10:31=A0pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> I just found that we can see the database connection string in plain text
> via the IIS ASP.NET configuration even the connection string is encrypted =
in
> web.config file. Is this a security hole?


No, it is not a security hole.

web.config encryption is meant as a defense against someone stealing
the web.config file.

The encryption is not meant as a way to secure a string such that only
IIS can read it and bypassing the application layer in the middle.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Report this message

#3: Re: IIS ASP.NET configuration

Posted on 2008-04-02 03:23:44 by Ricky Chan

Is there any way to block someone who acts as a system administrator role
but not allowed to read the configuration in config file?



"David Wang" <w3.4you@gmail.com> wrote in message
news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
> On Mar 31, 10:31 pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
>> I just found that we can see the database connection string in plain text
>> via the IIS ASP.NET configuration even the connection string is encrypted
>> in
>> web.config file. Is this a security hole?
>
>
> No, it is not a security hole.
>
> web.config encryption is meant as a defense against someone stealing
> the web.config file.
>
> The encryption is not meant as a way to secure a string such that only
> IIS can read it and bypassing the application layer in the middle.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

Report this message

#4: Re: IIS ASP.NET configuration

Posted on 2008-04-04 10:04:46 by David Wang

Not really. You have conflicting role and behavior expectations. You
will have to reconcile them.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Apr 1, 6:23=A0pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> Is there any way to block someone who acts as a system administrator role
> but not allowed to read the configuration in config file?
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
>
>
>
> > On Mar 31, 10:31 pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> >> I just found that we can see the database connection string in plain te=
xt
> >> via the IIS ASP.NET configuration even the connection string is encrypt=
ed
> >> in
> >> web.config file. Is this a security hole?
>
> > No, it is not a security hole.
>
> > web.config encryption is meant as a defense against someone stealing
> > the web.config file.
>
> > The encryption is not meant as a way to secure a string such that only
> > IIS can read it and bypassing the application layer in the middle.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

Report this message