John,
What you could possibly do is only grant the ASPNET account access the
web.config, and explicitly deny all other accounts, so that no other user
accounts can access it other than the ASPNET account. Assuming you're using
the standard FTP Server as part of IIS, users will have to login using a
Windows account. The account they login with will not have access to
web.config, and therefore they will not be able to read the file and see the
user security details.
You might want to consider moving user details into a database. In this
case, the web.config file wont contain any user credentials. However, this
can turn into a catch-22, as the web.config file will then (probably)
contain the database connection string, which in turn, will give the
hacker-to-be access to the database, and user credentials table. You could
hard-code the database string into the login class (code-behind file), but
this will make maintenance more awkward. Another option would be to encrypt
the database string, but this situation would no different from encrypting
the user passwords directly...
The encryption schemes mentioned are to authenticate people who try and
access web content which is being secured using the built-in Forms
Authentication in ASP.NET. As far as I know, It won't have any affect on
users who access your site using FTP. The only way to regulate FTP users
would be through the FTP Server software itself.
Hope this helps,
Mun
"John Buchmann" <or****@informa tik.com> wrote in message
news:06******** *************** *****@phx.gbl.. .
Mun,
Thanks for your reply and advice.
My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.
The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?
Thanks!
John
