Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Caching / June 2006

Tip: Looking for answers? Try searching our database.

Connection string password in clear text in ASP.NET Config Setting

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Lars - 07 Jun 2006 20:19 GMT
We have encrypted the connection string in web.config, however if you look at
ASP.NET Configuration Settings in IIS Manager, the connection string
including the password is there in clear text.

Does anyone know how to avoid this?
Thanks!
Reply to this Message
Brock Allen - 08 Jun 2006 15:19 GMT
The configuration plumbing in the CLR decrypts settings as code calls the
APIs to read the values. This allows the code to not know/care that a value
was encrypted. The UI you're referring to calls the same APIs. Why is this
an issue? Presumably an admin is the only one that would have access to the
IIS config tool, and the admin is the person you're supposed to trust to
configure your app.

-Brock
http://staff.develop.com/ballen

> We have encrypted the connection string in web.config, however if you
> look at ASP.NET Configuration Settings in IIS Manager, the connection
> string including the password is there in clear text.
>
> Does anyone know how to avoid this?
> Thanks
Reply to this Message
Lars - 08 Jun 2006 18:24 GMT
Agreed that it is not a huge security risk. However we do have customers who
would find passwords displayed in clear text totally unacceptable wherever
they're displayed

> The configuration plumbing in the CLR decrypts settings as code calls the
> APIs to read the values. This allows the code to not know/care that a value
[quoted text clipped - 12 lines]
> > Does anyone know how to avoid this?
> > Thanks!
Reply to this Message
Brock Allen - 09 Jun 2006 07:04 GMT
This would be a great situation to provide product feedback to MSFT:

http://msdn.microsoft.com/productfeedback/

-Brock
http://staff.develop.com/ballen

> Agreed that it is not a huge security risk. However we do have
> customers who would find passwords displayed in clear text totally
[quoted text clipped - 15 lines]
>>> Does anyone know how to avoid this?
>>> Thanks
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.