web.config security conn-str and auth-info

15 Feb 2006 7:49 AM

Jim Andersen

Hi,

I'm (still) developing a secure app. So I have a connectionstring in my
web.config.
That string is encrypted. So I decrypt it when I want to use it. No problem.

But I also have some other info in the web.config. The app uses integrated
security, and I have <allow roles> = "<some_Active_Directory_group>". This
way only users I have granted membership of the Active Directory Group, can
access my app.

The name of the group is plain text, and if someone saw that (and they
probably could, why else would I need to encrypt the ConnString in
web.config), they would have a place to start their evil deed.

So what do I do ?

/jim

16 Feb 2006 11:44 AM

Dominick Baier [DevelopMentor]

In 2.0 you can transparently encrypt the config elements - in 1.1 thats not
possible

as long as the config file cannot be changed, i think this is a minor threat..

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

> Hi,
>
> I'm (still) developing a secure app. So I have a connectionstring in
> my
> web.config.
> That string is encrypted. So I decrypt it when I want to use it. No
> problem.
> But I also have some other info in the web.config. The app uses
> integrated security, and I have <allow roles> =
> "<some_Active_Directory_group>". This way only users I have granted
> membership of the Active Directory Group, can access my app.
>
> The name of the group is plain text, and if someone saw that (and they
> probably could, why else would I need to encrypt the ConnString in
> web.config), they would have a place to start their evil deed.
>
> So what do I do ?
>
> /jim
>