Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

dbf2mysql parameter, WWWXXXAPC, wwwxxxAPC, How to unsubscrube from dategen spam, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text

Links

XODOX
Impressum

#1: IIS ASP.NET configuration

Posted on 2008-04-01 07:31:28 by Ricky Chan

I just found that we can see the database connection string in plain text
via the IIS ASP.NET configuration even the connection string is encrypted in
web.config file. Is this a security hole?

Report this message

#2: Re: IIS ASP.NET configuration

Posted on 2008-04-01 15:11:05 by David Wang

On Mar 31, 10:31=A0pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> I just found that we can see the database connection string in plain text
> via the IIS ASP.NET configuration even the connection string is encrypted =
in
> web.config file. Is this a security hole?


No, it is not a security hole.

web.config encryption is meant as a defense against someone stealing
the web.config file.

The encryption is not meant as a way to secure a string such that only
IIS can read it and bypassing the application layer in the middle.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Report this message

#3: Re: IIS ASP.NET configuration

Posted on 2008-04-02 03:23:44 by Ricky Chan

Is there any way to block someone who acts as a system administrator role
but not allowed to read the configuration in config file?



"David Wang" <w3.4you@gmail.com> wrote in message
news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
> On Mar 31, 10:31 pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
>> I just found that we can see the database connection string in plain text
>> via the IIS ASP.NET configuration even the connection string is encrypted
>> in
>> web.config file. Is this a security hole?
>
>
> No, it is not a security hole.
>
> web.config encryption is meant as a defense against someone stealing
> the web.config file.
>
> The encryption is not meant as a way to secure a string such that only
> IIS can read it and bypassing the application layer in the middle.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

Report this message

#4: Re: IIS ASP.NET configuration

Posted on 2008-04-04 10:04:46 by David Wang

Not really. You have conflicting role and behavior expectations. You
will have to reconcile them.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Apr 1, 6:23=A0pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> Is there any way to block someone who acts as a system administrator role
> but not allowed to read the configuration in config file?
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:75c4be79-0c80-4709-98e3-1b5adad5f4a4@c19g2000prf.google groups.com...
>
>
>
> > On Mar 31, 10:31 pm, "Ricky Chan" <ricky.chan.n...@live.com> wrote:
> >> I just found that we can see the database connection string in plain te=
xt
> >> via the IIS ASP.NET configuration even the connection string is encrypt=
ed
> >> in
> >> web.config file. Is this a security hole?
>
> > No, it is not a security hole.
>
> > web.config encryption is meant as a defense against someone stealing
> > the web.config file.
>
> > The encryption is not meant as a way to secure a string such that only
> > IIS can read it and bypassing the application layer in the middle.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

Report this message