5

In an attempt to make it easy for an administrator to modify the groups users are authorised against in my ASP .NET MVC web application, I have put group names in my Web.config as appSettings.

<add key="User" value="VDP ICMD Users"/>
<add key="SuperUser" value="VDP ICMD Super Users"/>
<add key="Administrator" value="VDP ICMD Administrator"/>

The values related to actual Active Directory group names. Then in my controllers, using my custom AuthorizeAttribute I can simply write

[AuthorizeAD(GroupKeys = "User")]

My question is, is it bad practice to put sensitive information like the group names in a Web.config file where they can be easily be changed? Is it easy for someone to access the Web.config file other than by logging into the server itself?

dnatoli
  • 6,972
  • 9
  • 57
  • 96
  • 3
    If someone can get on your server and access your web.config, you have bigger problems to worry about... – Devin Burke Sep 16 '11 at 02:43
  • Group names is a key to propery working authentication against AD with your web site. It someone in your organization is at the group with higher restrictions, he can elevate priveleges by accessing web.config file and simply adding/edition group names to elevate write/edit priveleges for example – Alan Turing Sep 16 '11 at 02:55
  • Agreed @Justin Satyr. I'm not worried about that, that is the sys admin's job. I am more worried if someone can change or even view the config file without getting access to server. – dnatoli Sep 16 '11 at 04:02
  • Possible duplicate of [Keeping sensitive information (username & password) in web.config?](https://stackoverflow.com/questions/36472006/keeping-sensitive-information-username-password-in-web-config) – Michael Freidgeim Aug 18 '19 at 02:01

3 Answers3

4

If it's easy or not to access to the web.config it depends of your infraestructure and security policies. It's not a browseable file so if someone wants to steal the web.config needs to get into your server. (Another option would be a existing or future security hole on the ASP.NET flow, it happened before but we hope this to be the less likely case).

It's a good practice to store as less sensitive information as possible but it's really hard to have nothing.

You can encrypt sensible information on your configuration file though. Here you have a walktrough explaining how to do it.

Claudio Redi
  • 67,454
  • 15
  • 130
  • 155
2

in general should be safe as long as you do not put plain text passwords which could be stolen even internally by anybody who has access to the deployment folders.

IIS and ASP.NET engine on top of it are designed to prevent access to the web.config file from the web so such file would not be sniffed or stolen via the browser or HTTP connection ever.

Said so, based on experience, I would put those info in a configuration table in the database and would create wrapping classes in the ASP.NET code which encapsulate the read of such config values so to do not have too much logic to fetch those data all around.

Advantages of configuration parameters in the database are at minimum easy or zero deployment, easy to change with no manual file editing, automated backup and to answer your main concern, your database should already be protected from unauthorized access.

Davide Piras
  • 43,984
  • 10
  • 98
  • 147
  • So is your answer to my example that in terms of security it is fine to put the information in Web.config like I have, however for the other reasons that you mentioned you would put it in the database? – dnatoli Sep 16 '11 at 04:01
  • it's fine as long as nobody can touch the web server from inside, because if he does he can become administrator in a moment. Since database should be more secure, I would use database. On the other hand if somebody can touch web.config then can also disable security in there... – Davide Piras Sep 16 '11 at 04:05
  • Exactly. As @Justin Satyr said, if they get access to the server and my web.config, I have bigger problems. They ould not only disable security but could repoint the application to a different database and change a whole bunch of other things. – dnatoli Sep 16 '11 at 04:34
0

No. This is not safe in a given context.

Group names is a key to propery working authentication against AD with your web site. At your scenario, if someone in your organization is at the group with higher restrictions, he can elevate priveleges by accessing web.config file and simply adding/editing group names to elevate it's own write/edit priveleges, for example or access a confidential information, like salaries or contracts, or even CEO plans for a company. Do you want such troubles?

Read MSDN article How to encrypt Web.config

Alan Turing
  • 2,482
  • 17
  • 20
  • But as far as I am aware, the only way to access the Web.config file is to gain access to the hosting server, and as @JustinSatyr commented, if they can do that I have bigger issues. – dnatoli Sep 16 '11 at 03:51