Menu
I was reading a blog today (http://somewebguy.wordpress.com/2009/07/20/is-encrypting-your-web-config-a-waste-of-time/) about both how to encrypt your appsettings/connectionstrings etc. using the aspnet_regiis tool.
He has a follow up post with some feedback from others saying this is a waste of time.
My question is, what do you think? Are you totally hosed as soon as anyone gets physical access to your web.config files anyway? Or is this a worthwhile precaution?
434
I don't think it is pointless. If someone does gain access to your web server, yes you are in a lot of trouble. Does that mean that you need to allow them to gain that same access to your database/middle-tier/application server as well?
176
You are only as strong as your weakest part. Any measures you can take to improve security are a good thing, although this is not something i do.
I share the view that if people have got access to your web.configs, youve probably got worse issues to worry about.
I always make sure any db usernames/passwords stored within have datareader/datawriter ONLY on the site's database.
One thing you can do is have them encrypted as part of your deploy, using a build tool such as MSBuild, NAnt, Rake etc. this way its not so much of an effort and therefore more likely to be accepted by your team
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
