Hi,
Microsoft has by default the connection string / (also encrypted if you want ) in the web.config.
I came across settings.txt in app_data during upgrade. I would recommend/ suggest to follow Microsoft path. If you use Windows identity, your database cannot be accessed, if no SQL connections allowed. However, if you have sql connections allowed and app_data\settings.txt would be readable that would have dramatic effect(s).
If I would be working at Microsoft, I would hardcode that web.config or .config would never be able to leave the web server. For text files I would not do that.
J.
Move connection string from settings.txt in app_data to webconfig.
- 648
- 4441
- 11/20/2013
- Netherlands
This might be evidence for: https://www.nopcommerce.com/boards/t/26955/my-site-hacked-by-pharamacy100couk.aspx
Team Member
- 16611
- 155810
- 10/22/2008
- Armenia
Quantis001 wrote:
Why should it be readable? By default IIS doesn't allow access to files located into \App_Data. So no worries about it
Quantis001 wrote:
It's absolutely not related somehow to your "suggestion". Why do you think that this site was hacked because of it?
app_data\settings.txt would be readable that would have dramatic effect(s).
Why should it be readable? By default IIS doesn't allow access to files located into \App_Data. So no worries about it
Quantis001 wrote:
This might be evidence for: https://www.nopcommerce.com/boards/t/26955/my-site-hacked-by-pharamacy100couk.aspx
It's absolutely not related somehow to your "suggestion". Why do you think that this site was hacked because of it?
- 648
- 4441
- 11/20/2013
- Netherlands
Hi Andrei,
Sure, you are right for app_data..app_code etc. Shouldn't be served. However, that file is in the middle of other files, and has been added by Microsoft recently. In the past it has always been web.config similar to htaccess file on Apache. If somebody does not know that this app_data is a special directory and might install apache or other software (other than MS IIS) wrong. See link below how it is explained in the past:
http://www.iis.net/learn/application-frameworks/install-and-configure-php-applications-on-iis/translate-htaccess-content-to-iis-webconfig
Microsoft is also triggering PHP/ JAVA community to take benefit of hosting with Microsoft IIS. If somebody just reads the wrong post..or believes it works similar...most likely that person will also give acces to web.config...so maybe we cannot avoid that....I guess you are right.
J.
Sure, you are right for app_data..app_code etc. Shouldn't be served. However, that file is in the middle of other files, and has been added by Microsoft recently. In the past it has always been web.config similar to htaccess file on Apache. If somebody does not know that this app_data is a special directory and might install apache or other software (other than MS IIS) wrong. See link below how it is explained in the past:
http://www.iis.net/learn/application-frameworks/install-and-configure-php-applications-on-iis/translate-htaccess-content-to-iis-webconfig
Microsoft is also triggering PHP/ JAVA community to take benefit of hosting with Microsoft IIS. If somebody just reads the wrong post..or believes it works similar...most likely that person will also give acces to web.config...so maybe we cannot avoid that....I guess you are right.
J.
- 1
- 5
- 9/12/2012
- Israel
Hi,
Further to above, I have two question regarding the connection string:
1. Is there any way to encrypt it and still have the application run without any further modifications? Unfortunately this is required by a lot of security consultants
2. Is there any way to create Release/Debug versions?
Further to above, I have two question regarding the connection string:
1. Is there any way to encrypt it and still have the application run without any further modifications? Unfortunately this is required by a lot of security consultants
2. Is there any way to create Release/Debug versions?
Certified Developer
- 12
- 180
- 3/1/2016
- United States
I personally don't see any issue with having the connection string within App_Data
It shouldn't be a heavy lift to encrypt the connection string using a machine key or something similar.
An .NET specific deployment platform such as Octopus Deploy can handle transforms of all types with very little difficulty. Its lowest usage tier is free and should easily meet your needs.
For deployments to different environments, once Settings.txt is setup, there should be little to no reason to update that file going forward.
It shouldn't be a heavy lift to encrypt the connection string using a machine key or something similar.
An .NET specific deployment platform such as Octopus Deploy can handle transforms of all types with very little difficulty. Its lowest usage tier is free and should easily meet your needs.
For deployments to different environments, once Settings.txt is setup, there should be little to no reason to update that file going forward.