Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: ASP.NET Website Programming Problem-Design-Solution
This is the forum to discuss the Wrox book ASP.NET Website Programming: Problem - Design - Solution, Visual Basic .NET Edition by Marco Bellinaso, Kevin Hoffman; ISBN: 9780764543869
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET Website Programming Problem-Design-Solution section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old March 16th, 2004, 12:20 PM
Authorized User
 
Join Date: Mar 2004
Location: Benicia, CA, USA.
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default security - xml connection string

I have a question about using this website as a model for a public website. I am concerned about having my database connection string in an xml file. Should I be concerned, is this more or less safe than having the connection string in my web.config file.

  #2 (permalink)  
Old March 16th, 2004, 12:25 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Web.config files are protected by the setup of the Framework by default.
This means that whenever someone requests a Web.config file, IIS will hand the request over to the forbidden content type handler (something like this, can't recall the exact name) which prevents the file from being downloaded.

XML files are usually seen as content files and can be downloaded if you know their name and location. So, yeah, storing them in an XML file with the Web scope (anywhere below the Web root folder) poses a security risk.

However, you can configure IIS or the disk (NTFS) to block access to the file for unauthenticated users.

HtH,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
  #3 (permalink)  
Old March 16th, 2004, 01:11 PM
Authorized User
 
Join Date: Mar 2004
Location: Benicia, CA, USA.
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The project I am working on will be a public website where individuals must register to use the site and view the content of the site. I have normally worked with either annonymous access public sites or Protected Windows integrated security intranet sites. This is new for me.

I would like your opinion, would you use ntfs to protect the folder and use the xml configuration files as presented in "ASP.Net Programming" or would you place the database access connection string in the web.config or is there a better, more robust / secure solution that you would recomment. Thanks again for your response.

  #4 (permalink)  
Old March 16th, 2004, 01:24 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Are you still using Anonymous access for the Web site?

If that's case, change the Security for your folder that holds the connection strings. Set it to Integrated Security only (that is remove anonymous and basic). On NTFS, remove all permissions except for read permission by the anonymous IUSR account (and maybe yourself or an Administrator account).

This way, IIS will be able to read the contents of the folder. If an anonymous user tries to request a file, Integrated Security won't work and they won't get access to the config files.

Alternatively, place the config files outside Web scope; e.g. in a folder called C:\Config. IIS can still read the files, but users won't be able to request them. I haven't read the book, so I don't know if this is applicable in your scenario.

Finally, you could move the connection strings to a Web.Config file. IMO, that makes sense. The inventors of ASP.NET probably thought about this for a while so I am sure there is a good theory behind its design. It also gives you easy access to its contents.

I think all three scenario's are safe: you can protect your connection strings from prying eyes on the Internet. What you choose is up to you: whatever is easiest to implement, or seems most logical to you.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
  #5 (permalink)  
Old March 16th, 2004, 01:35 PM
Authorized User
 
Join Date: Mar 2004
Location: Benicia, CA, USA.
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks again.

  #6 (permalink)  
Old March 24th, 2004, 11:57 PM
Authorized User
 
Join Date: Mar 2004
Location: , , .
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

A relatively easy solution to this issue is to encrypt the string that's stored in web.config.

  #7 (permalink)  
Old March 30th, 2004, 04:55 AM
Authorized User
 
Join Date: Nov 2003
Location: Caterham, Surrey, United Kingdom.
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default

But the module config files have a .config extension - it is the file extension that is screened by IIS. So they are no less safe than web.config.

brian
  #8 (permalink)  
Old March 30th, 2004, 05:37 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Right, I didn't know that (I don't have that book).
The OP said: "xml configuration files" so I assumed files with an .xml extension.

If they end with .config, they are indeed as safe as any other .config file.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating XML doc ; writing string(xml format) into KamalRaturi XML 5 May 28th, 2008 05:51 AM
connection string kooky SQL Server ASP 1 February 14th, 2008 09:59 AM
connection string nalla ASP.NET 1.0 and 1.1 Professional 2 January 23rd, 2006 04:03 AM
Connection String phungleon Classic ASP Basics 1 March 18th, 2005 05:51 AM
Security Error Using DSN Connection Adir Rovner ASP.NET 1.0 and 1.1 Basics 7 August 24th, 2004 09:30 AM



All times are GMT -4. The time now is 10:47 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.