Is it bad practice to put sensitive information in a Web.config file?

Question

In an attempt to make it easy for an administrator to modify the groups users are authorised against in my ASP .NET MVC web application, I have put group names in my Web.config as appSettings.

<add key="User" value="VDP ICMD Users"/>
<add key="SuperUser" value="VDP ICMD Super Users"/>
<add key="Administrator" value="VDP ICMD Administrator"/>

The values related to actual Active Directory group names. Then in my controllers, using my custom AuthorizeAttribute I can simply write

[AuthorizeAD(GroupKeys = "User")]

My question is, is it bad practice to put sensitive information like the group names in a Web.config file where they can be easily be changed? Is it easy for someone to access the Web.config file other than by logging into the server itself?

Answer 1

If it's easy or not to access to the web.config it depends of your infraestructure and security policies. It's not a browseable file so if someone wants to steal the web.config needs to get into your server. (Another option would be a existing or future security hole on the ASP.NET flow, it happened before but we hope this to be the less likely case).

It's a good practice to store as less sensitive information as possible but it's really hard to have nothing.

You can encrypt sensible information on your configuration file though. Here you have a walktrough explaining how to do it.