Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > identity impersonation definition in web.config

Reply
Thread Tools

identity impersonation definition in web.config

 
 
Saqib Ali
Guest
Posts: n/a
 
      02-01-2007
I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

 
Reply With Quote
 
 
 
 
bruce barker
Guest
Posts: n/a
 
      02-01-2007
yes. see aspnet_regiis.exe utility. also if you use iis 6.0 you can use
an application pool instead of specifying the impersonation in web.config.

-- bruce (sqlwork.com)

Saqib Ali wrote:
> I have some security concerns over storing a Active Directory username/
> passwd in a text based web.config file for the identity impersonation
> definition.
>
> I know that web.conf is not accessible via the web browser, however
> someone with account on the server can get to the file and steal the
> credentials.
>
> Is there a way to hash the username/password for identity
> impersonation definition, or define it elsewhere where it is not
> accessible to the server administrator/operators?
>
> Thanks
> saqib
> http://www.full-disk-encryption.net
>

 
Reply With Quote
 
 
 
 
Peter Bromberg [C# MVP]
Guest
Posts: n/a
 
      02-01-2007
You can encrypt certain web.config sections with RSA and other protocols.
I doubt the <identity--> element is one of them, but you could certainly
store the information in an encryptable one provided you can figure out a way
to set the credentials of your app programatically using this info.

If anybody with "an account" on the server could cause you so much grief,
maybe its time to review your whole security paradigm.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net




"Saqib Ali" wrote:

> I have some security concerns over storing a Active Directory username/
> passwd in a text based web.config file for the identity impersonation
> definition.
>
> I know that web.conf is not accessible via the web browser, however
> someone with account on the server can get to the file and steal the
> credentials.
>
> Is there a way to hash the username/password for identity
> impersonation definition, or define it elsewhere where it is not
> accessible to the server administrator/operators?
>
> Thanks
> saqib
> http://www.full-disk-encryption.net
>
>

 
Reply With Quote
 
Timothy Paul Narron
Guest
Posts: n/a
 
      02-01-2007
If you are using .Net 2.0 you can in fact encrypt the username and password
but you have to keep in mind it would still get decrypted to be used. Any
text in memory can actually be seen by other code if code security is not
carefully planned. All text ends up in memory so unencrypting it is
superficial. I'd make sure my file security prevents access to that web
config file.

If you are concerned about saving the password in the config file you may
actually have a much bigger problem. No one should have access to that file
in production other than an administrator.

What I sometimes prefer to do is have an administrator actually use what is
know as cached credentials and manually enter the account information that
the application will run under. The operating system will actually use
operating system level encryption to store the credentials.

You'll have to hunt down the exact admin steps to set that up becuase it
depends on your situation.

Hope it helps,
Timothy Paul Narron

"Saqib Ali" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I have some security concerns over storing a Active Directory username/
> passwd in a text based web.config file for the identity impersonation
> definition.
>
> I know that web.conf is not accessible via the web browser, however
> someone with account on the server can get to the file and steal the
> credentials.
>
> Is there a way to hash the username/password for identity
> impersonation definition, or define it elsewhere where it is not
> accessible to the server administrator/operators?
>
> Thanks
> saqib
> http://www.full-disk-encryption.net
>



 
Reply With Quote
 
Joseph I. Ceasar
Guest
Posts: n/a
 
      03-06-2007
I am a bit new to this whole process. Where can I find more info about the
identity impersonation. I know how to set it up (heck, I have to set it up.
otherwise when I publish my site it won't work).

My question is, why do I have to do this to begin with?

If I remember correctly, I did not have to do it until I went ahead and
encrypted the web.config file. At that point the published site did not
work anymore, unless I impersonated a user, even though I unencrypted the
web.config file






"Saqib Ali" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I have some security concerns over storing a Active Directory username/
> passwd in a text based web.config file for the identity impersonation
> definition.
>
> I know that web.conf is not accessible via the web browser, however
> someone with account on the server can get to the file and steal the
> credentials.
>
> Is there a way to hash the username/password for identity
> impersonation definition, or define it elsewhere where it is not
> accessible to the server administrator/operators?
>
> Thanks
> saqib
> http://www.full-disk-encryption.net
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET 2.0 Impersonation of fixed identity - truncation of identity JimLad ASP .Net 0 01-16-2009 10:42 AM
identity impersonation definition in web.config Saqib Ali ASP .Net 4 03-06-2007 05:56 PM
Issue with Identity Impersonation and user identity used passed for trusted SQL connection. Frederick D'hont ASP .Net Security 0 07-25-2005 02:41 PM
Identity Impersonation question. Peter Johansen ASP .Net 1 05-02-2004 12:32 PM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM



Advertisments