I haven't seen anything anywhere suggesting this section should be
encrypted, but it looks to be like a prime hacking location (set
passwords to cleartext, set unlimited retries etc...)
Should this section be encrypted in addition to impersonation and
connectionstrings sections?
Any other sections that should be encrypted?
Cheers,
James
This has been debated ad nauseam over the years.
Some people encrypt everything in web.config.
Others take the view that, if a hacker has got as far into your network that
they can actually view the contents of web.config, they're already far
enough in to be able to do anything they like irrespective of encryption -
so why bother...?
I tend to encrypt only those settings which contain an actual password.
However, some clients like to have other settings encrypted too because it
gives them that warm, fuzzy feeling...
Therefore, I usually go by the rule that I will encrypt as much of
web.config as my client wants to pay for... :-)
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
> I haven't seen anything anywhere suggesting this section should be
> encrypted, but it looks to be like a prime hacking location (set
> passwords to cleartext, set unlimited retries etc...)
Connection strings which contain passwords? I am with Mark on this one.
Other sections? No. It just adds weight to the app with no discernable
safety increase. A hacker knows the web connection string name is
MySiteConnectionString? So what?
I would suggest that you not name the string LocalSqlServer if the SQL
Server is really local, as they will try to hack there. Also don't use
the alias ServerNameConnectionString, where ServerName is the actual
name of the server, as that gives a hacker the name of a server in your
network that contains data.
If I saw ZeusConnectionString for an app named MotorcycleSales, I would
assume you have servers named after Greek Gods, with Zeus as your
database server. If I am in the network, I then search for Zeus on port
1433 and see if you have password, p@ssword, blank, etc. as the sa
password.
Perhaps encryption is useful if you name things where you reveal the
nature of the environment, but don't do that and it really does not add
that much, as the hacker is already in your network if he is reading the
config.
App Settings is another thing, as you often reveal secrets about the app
in app settings. Protect them. Conn strings, definitely, esp. if you use
Windows Authentication. They have WAAAY too much info to be left open.
realisitically, however, if the hacker has the .config, he owns the web
server.
Peace and Grace,
--
Gregory A. Beamer (MVP)
Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com
*******************************************
| Think outside the box! |
*******************************************
Thanks all!
James