Asp Forum
Home
|
Login
|
Register
|
Search
Forums
>
microsoft.public.dotnet.framework.aspnet.caching
Connection string password in clear text in ASP.NET Config Setting
Lars
6/7/2006 7:19:00 PM
We have encrypted the connection string in web.config, however if you look at
ASP.NET Configuration Settings in IIS Manager, the connection string
including the password is there in clear text.
Does anyone know how to avoid this?
Thanks!
3 Answers
Brock Allen
6/8/2006 2:20:00 PM
0
The configuration plumbing in the CLR decrypts settings as code calls the
APIs to read the values. This allows the code to not know/care that a value
was encrypted. The UI you're referring to calls the same APIs. Why is this
an issue? Presumably an admin is the only one that would have access to the
IIS config tool, and the admin is the person you're supposed to trust to
configure your app.
-Brock
http://staff.develop....
> We have encrypted the connection string in web.config, however if you
> look at ASP.NET Configuration Settings in IIS Manager, the connection
> string including the password is there in clear text.
>
> Does anyone know how to avoid this?
> Thanks!
Lars
6/8/2006 5:24:00 PM
0
Agreed that it is not a huge security risk. However we do have customers who
would find passwords displayed in clear text totally unacceptable wherever
they're displayed
"Brock Allen" wrote:
> The configuration plumbing in the CLR decrypts settings as code calls the
> APIs to read the values. This allows the code to not know/care that a value
> was encrypted. The UI you're referring to calls the same APIs. Why is this
> an issue? Presumably an admin is the only one that would have access to the
> IIS config tool, and the admin is the person you're supposed to trust to
> configure your app.
>
> -Brock
>
http://staff.develop....
>
>
> > We have encrypted the connection string in web.config, however if you
> > look at ASP.NET Configuration Settings in IIS Manager, the connection
> > string including the password is there in clear text.
> >
> > Does anyone know how to avoid this?
> > Thanks!
>
>
>
Brock Allen
6/9/2006 6:04:00 AM
0
This would be a great situation to provide product feedback to MSFT:
http://msdn.microsoft.com/produc...
-Brock
http://staff.develop....
> Agreed that it is not a huge security risk. However we do have
> customers who would find passwords displayed in clear text totally
> unacceptable wherever they're displayed
>
> "Brock Allen" wrote:
>
>> The configuration plumbing in the CLR decrypts settings as code calls
>> the APIs to read the values. This allows the code to not know/care
>> that a value was encrypted. The UI you're referring to calls the same
>> APIs. Why is this an issue? Presumably an admin is the only one that
>> would have access to the IIS config tool, and the admin is the person
>> you're supposed to trust to configure your app.
>>
>> -Brock
>>
http://staff.develop....
>>> We have encrypted the connection string in web.config, however if
>>> you look at ASP.NET Configuration Settings in IIS Manager, the
>>> connection string including the password is there in clear text.
>>>
>>> Does anyone know how to avoid this?
>>> Thanks!
Servizio di avviso nuovi messaggi
Ricevi direttamente nella tua mail i nuovi messaggi per
Connection string password in clear text in ASP.NET Config Setting
Inserendo la tua e-mail nella casella sotto, riceverai un avviso tramite posta elettronica ogni volta che il motore di ricerca troverà un nuovo messaggio per te
Il servizio è completamente GRATUITO!
x
Login to ForumsZone
Login with Google
Login with E-Mail & Password