identity impersonation definition in web.config

S

Saqib Ali

I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net
 
B

bruce barker

yes. see aspnet_regiis.exe utility. also if you use iis 6.0 you can use
an application pool instead of specifying the impersonation in web.config.

-- bruce (sqlwork.com)
 
G

Guest

You can encrypt certain web.config sections with RSA and other protocols.
I doubt the <identity--> element is one of them, but you could certainly
store the information in an encryptable one provided you can figure out a way
to set the credentials of your app programatically using this info.

If anybody with "an account" on the server could cause you so much grief,
maybe its time to review your whole security paradigm.
Peter
 
T

Timothy Paul Narron

If you are using .Net 2.0 you can in fact encrypt the username and password
but you have to keep in mind it would still get decrypted to be used. Any
text in memory can actually be seen by other code if code security is not
carefully planned. All text ends up in memory so unencrypting it is
superficial. I'd make sure my file security prevents access to that web
config file.

If you are concerned about saving the password in the config file you may
actually have a much bigger problem. No one should have access to that file
in production other than an administrator.

What I sometimes prefer to do is have an administrator actually use what is
know as cached credentials and manually enter the account information that
the application will run under. The operating system will actually use
operating system level encryption to store the credentials.

You'll have to hunt down the exact admin steps to set that up becuase it
depends on your situation.

Hope it helps,
Timothy Paul Narron
 
J

Joseph I. Ceasar

I am a bit new to this whole process. Where can I find more info about the
identity impersonation. I know how to set it up (heck, I have to set it up.
otherwise when I publish my site it won't work).

My question is, why do I have to do this to begin with?

If I remember correctly, I did not have to do it until I went ahead and
encrypted the web.config file. At that point the published site did not
work anymore, unless I impersonated a user, even though I unencrypted the
web.config file
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Impersonation? 1
Identity Impersonate in ASP.NET 2
Newbie question about impersonation 5
Global.asax not allowing identity impersonation? 8
Identity impersonate not working 6
accessing folder on remote server from asp.net page (impersonation question) 0
Identity Impersonation question. 1
Impersonation 0

Members online

No members online now.
Total: 35 (members: 0, guests: 35)
Robots: 503

Forum statistics

Threads
473,969
Messages
2,570,161
Members
46,708
Latest member
SherleneF1

Latest Threads

Top