View Single Post
  #4 (permalink)  
Old March 16th, 2004, 01:24 PM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Are you still using Anonymous access for the Web site?

If that's case, change the Security for your folder that holds the connection strings. Set it to Integrated Security only (that is remove anonymous and basic). On NTFS, remove all permissions except for read permission by the anonymous IUSR account (and maybe yourself or an Administrator account).

This way, IIS will be able to read the contents of the folder. If an anonymous user tries to request a file, Integrated Security won't work and they won't get access to the config files.

Alternatively, place the config files outside Web scope; e.g. in a folder called C:\Config. IIS can still read the files, but users won't be able to request them. I haven't read the book, so I don't know if this is applicable in your scenario.

Finally, you could move the connection strings to a Web.Config file. IMO, that makes sense. The inventors of ASP.NET probably thought about this for a while so I am sure there is a good theory behind its design. It also gives you easy access to its contents.

I think all three scenario's are safe: you can protect your connection strings from prying eyes on the Internet. What you choose is up to you: whatever is easiest to implement, or seems most logical to you.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.