View Single Post
  #2 (permalink)  
Old March 16th, 2004, 12:25 PM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Web.config files are protected by the setup of the Framework by default.
This means that whenever someone requests a Web.config file, IIS will hand the request over to the forbidden content type handler (something like this, can't recall the exact name) which prevents the file from being downloaded.

XML files are usually seen as content files and can be downloaded if you know their name and location. So, yeah, storing them in an XML file with the Web scope (anywhere below the Web root folder) poses a security risk.

However, you can configure IIS or the disk (NTFS) to block access to the file for unauthenticated users.

HtH,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.