IIS ASP.NET configuration

IIS ASP.NET configuration

am 01.04.2008 07:31:28 von Ricky Chan

I just found that we can see the database connection string in plain text
via the IIS ASP.NET configuration even the connection string is encrypted in
web.config file. Is this a security hole?

Re: IIS ASP.NET configuration

am 01.04.2008 15:11:05 von David Wang

On Mar 31, 10:31=A0pm, "Ricky Chan" wrote:
> I just found that we can see the database connection string in plain text
> via the IIS ASP.NET configuration even the connection string is encrypted =
in
> web.config file. Is this a security hole?


No, it is not a security hole.

web.config encryption is meant as a defense against someone stealing
the web.config file.

The encryption is not meant as a way to secure a string such that only
IIS can read it and bypassing the application layer in the middle.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS ASP.NET configuration

am 02.04.2008 03:23:44 von Ricky Chan

Is there any way to block someone who acts as a system administrator role
but not allowed to read the configuration in config file?



"David Wang" wrote in message
news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
> On Mar 31, 10:31 pm, "Ricky Chan" wrote:
>> I just found that we can see the database connection string in plain text
>> via the IIS ASP.NET configuration even the connection string is encrypted
>> in
>> web.config file. Is this a security hole?
>
>
> No, it is not a security hole.
>
> web.config encryption is meant as a defense against someone stealing
> the web.config file.
>
> The encryption is not meant as a way to secure a string such that only
> IIS can read it and bypassing the application layer in the middle.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

Re: IIS ASP.NET configuration

am 04.04.2008 10:04:46 von David Wang

Not really. You have conflicting role and behavior expectations. You
will have to reconcile them.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Apr 1, 6:23=A0pm, "Ricky Chan" wrote:
> Is there any way to block someone who acts as a system administrator role
> but not allowed to read the configuration in config file?
>
> "David Wang" wrote in message
>
> news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
>
>
>
> > On Mar 31, 10:31 pm, "Ricky Chan" wrote:
> >> I just found that we can see the database connection string in plain te=
xt
> >> via the IIS ASP.NET configuration even the connection string is encrypt=
ed
> >> in
> >> web.config file. Is this a security hole?
>
> > No, it is not a security hole.
>
> > web.config encryption is meant as a defense against someone stealing
> > the web.config file.
>
> > The encryption is not meant as a way to secure a string such that only
> > IIS can read it and bypassing the application layer in the middle.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -