Ask a Question related to ASP.NET Security, Design and Development.
-
Asim #1
Write access to web.config
What are the security risks to grant ASP.NET user write access to web.config?
I am working on a project in which I am required to update web.config at the
runtime, basically modifying access to different directories.
Any suggestion will be greatly appreciated.
Thanks
Asim Guest
-
Can you re-write SQL for Access
I need the following code to work for MS Access. It is writen for a SQL database. Does anybody know how to make it work. I am stumped? Specifically... -
Please help with iis/asp.net config for anonymous access.
Is this a virtual directory on a network share? Have you supplied the correct crendentials when setting up the virtual directory? If this is not on... -
web.config access problem
I'm trying to set up an application so that on first run/install it writes to the web.config various values. I have loaded the web.config into an... -
Write Access to Access DataBase
I'm trying to update a Access Database from information gained from a ASPX page. The database will not update. I'm sure it is in some security... -
Access to config file
I'm writing C# ASP.NET application. For different parts of application I wrote different config files. When I was transferred files from my office... -
Dominick Baier #2 Write access to web.config
in short : don't do it
or..
it is not a good choice to modify web.config because
- your opening up to all kind of other security issues if your worker process has write access to web.config (thats a defense in depth measure) - then you have to be VERY shure that the rest of your app is based on rock-solid code
- your asp.net app will restart everytime you modify web.config
if you really want to modify web.config - refactor out that code - package it in a serviced component (com+) and give this component a seperate identity which is allowed to modify web.config -
but my suggestion would be :
there is an event in the http pipeline of asp.net that's specifically made for this purpose - AuthorizeRequest - there you can plug in your code to programmatically decide who is authorized or not (from an alternate data store like an xml file or db)
don't mess with web.config (and its dacls) !
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<0DFAA11D-A929-4BD0-9548-0EDEF6805E84@microsoft.com>
What are the security risks to grant ASP.NET user write access to web.config?
I am working on a project in which I am required to update web.config at the
runtime, basically modifying access to different directories.
Any suggestion will be greatly appreciated.
Thanks
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
-
Ken Cox [Microsoft MVP] #3 Re: Write access to web.config
Hi Asim,
There are certainly serious security risks in doing this. You might want to
consider storing the configuration information in some other place like a
database rather than the web.config.
I'd also worry about performance problems because whenever you change the
web.config, the Web application resets and will want to recompile.
Ken
"Asim" <Asim@discussions.microsoft.com> wrote in message
news:0DFAA11D-A929-4BD0-9548-0EDEF6805E84@microsoft.com...> What are the security risks to grant ASP.NET user write access to
> web.config?
> I am working on a project in which I am required to update web.config at
> the
> runtime, basically modifying access to different directories.
>
> Any suggestion will be greatly appreciated.
>
> ThanksKen Cox [Microsoft MVP] Guest
-
Patrick Olurotimi Ige #4 Re: Write access to web.config
Asim..
I don't advice updating or modifying web.config files at anytime UNLESS
u need to do so..
GDLUCK
Patrick
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
Patrick Olurotimi Ige Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
