By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,190 Members | 1,469 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,190 IT Pros & Developers. It's quick & easy.

web.config location

P: n/a
Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory
Nov 18 '05 #1
Share this Question
Share on Google+
10 Replies


P: n/a
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings though.
Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory

Nov 18 '05 #2

P: n/a
Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere near
the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use the
web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings though. Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory


Nov 18 '05 #3

P: n/a
just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere near the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use the web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings

though.
Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
Is it possible to move the web.config out of the application folder? I would like it off somewhere out of the web directory



Nov 18 '05 #4

P: n/a
fan-freaking-tastic - as you can tell I am excited by the notion of
stripping all that stuff out....

Thanks for your help....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere

near
the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use

the
web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings

though.
Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
> Is it possible to move the web.config out of the application folder?

I > would like it off somewhere out of the web directory
>
>



Nov 18 '05 #5

P: n/a
Does the government agency understand that it is hard coded into IIS not to
server web.config files, ever, never, forever?

bill

(or atleast that is the tout by Microsoft)

"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere near the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use the web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings

though.
Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
Is it possible to move the web.config out of the application folder? I would like it off somewhere out of the web directory



Nov 18 '05 #6

P: n/a
well that appears to be something that we will have to explore - petition to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to another
config file...

I would think they would have to know since they will be hosting this site.
BUT I just think they are being difficult right now...

the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl...
Does the government agency understand that it is hard coded into IIS not to server web.config files, ever, never, forever?

bill

(or atleast that is the tout by Microsoft)

"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
Part of the clients requirement is that all config files must be located
outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere

near
the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that use

the
web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings

though.
Why though? why move it out of the site? It's not accessible from the
outside

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
> Is it possible to move the web.config out of the application folder?

I > would like it off somewhere out of the web directory
>
>



Nov 18 '05 #7

P: n/a
but in that rationale NOTHING is secure. Since the web.config is text it has
a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where it
is.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl...
well that appears to be something that we will have to explore - petition to have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to another config file...

I would think they would have to know since they will be hosting this site. BUT I just think they are being difficult right now...

the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl...
Does the government agency understand that it is hard coded into IIS not to
server web.config files, ever, never, forever?

bill

(or atleast that is the tout by Microsoft)

"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
Part of the clients requirement is that all config files must be located outside of the web directory.

DoD and government orgs seems to not like configuration files anywhere

near
the virtual directory for security reasons.

you would have thought that MS would have allowed you to specify a path to
where that is....

I am at a loss as to what to do now... I have a lot of things that
use the
web.config.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
> no.
> it MUST be in the root of the site/vd.
> You can have more of them in subsequent folders to override settings
though.
> Why though? why move it out of the site? It's not accessible from
the > outside
>
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
>
> "mike" <so*****@somewhere.com> wrote in message
> news:uj**************@TK2MSFTNGP11.phx.gbl...
> > Is it possible to move the web.config out of the application

folder? I
> > would like it off somewhere out of the web directory
> >
> >
>
>



Nov 18 '05 #8

P: n/a
I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl...
but in that rationale NOTHING is secure. Since the web.config is text it has a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where it is.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl...
well that appears to be something that we will have to explore - petition
to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to

another
config file...

I would think they would have to know since they will be hosting this

site.
BUT I just think they are being difficult right now...

the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees "not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl...
Does the government agency understand that it is hard coded into IIS not
to
server web.config files, ever, never, forever?

bill

(or atleast that is the tout by Microsoft)

"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
> Part of the clients requirement is that all config files must be

located > outside of the web directory.
>
> DoD and government orgs seems to not like configuration files
anywhere near
> the virtual directory for security reasons.
>
> you would have thought that MS would have allowed you to specify a

path
to
> where that is....
>
> I am at a loss as to what to do now... I have a lot of things that

use the
> web.config.
>
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:e8***************@TK2MSFTNGP10.phx.gbl...
> > no.
> > it MUST be in the root of the site/vd.
> > You can have more of them in subsequent folders to override settings > though.
> > Why though? why move it out of the site? It's not accessible from the > > outside
> >
> > --
> > Curt Christianson
> > Owner/Lead Developer, DF-Software
> > Site: http://www.Darkfalz.com
> > Blog: http://blog.Darkfalz.com
> >
> >
> > "mike" <so*****@somewhere.com> wrote in message
> > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > Is it possible to move the web.config out of the application folder? I
> > > would like it off somewhere out of the web directory
> > >
> > >
> >
> >
>
>



Nov 18 '05 #9

P: n/a
we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl...
but in that rationale NOTHING is secure. Since the web.config is text it

has
a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where

it
is.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl...
well that appears to be something that we will have to explore - petition
to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to

another
config file...

I would think they would have to know since they will be hosting this

site.
BUT I just think they are being difficult right now...

the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly information and such can be put in there. As soon as a gov't agency

sees "not secure" they say no, no matter what the reasoning or information is behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl...
> Does the government agency understand that it is hard coded into IIS not to
> server web.config files, ever, never, forever?
>
> bill
>
> (or atleast that is the tout by Microsoft)
>
> "mike" <so*****@somewhere.com> wrote in message
> news:O%****************@TK2MSFTNGP10.phx.gbl...
> > Part of the clients requirement is that all config files must be

located
> > outside of the web directory.
> >
> > DoD and government orgs seems to not like configuration files anywhere > near
> > the virtual directory for security reasons.
> >
> > you would have thought that MS would have allowed you to specify a

path
to
> > where that is....
> >
> > I am at a loss as to what to do now... I have a lot of things
that use
> the
> > web.config.
> >
> > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > news:e8***************@TK2MSFTNGP10.phx.gbl...
> > > no.
> > > it MUST be in the root of the site/vd.
> > > You can have more of them in subsequent folders to override settings > > though.
> > > Why though? why move it out of the site? It's not accessible

from the
> > > outside
> > >
> > > --
> > > Curt Christianson
> > > Owner/Lead Developer, DF-Software
> > > Site: http://www.Darkfalz.com
> > > Blog: http://blog.Darkfalz.com
> > >
> > >
> > > "mike" <so*****@somewhere.com> wrote in message
> > > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > > Is it possible to move the web.config out of the application

folder?
> I
> > > > would like it off somewhere out of the web directory
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #10

P: n/a
That is another thing that we have to do as part of the requirements. All
configuration files must be encrypted, so I am guessing the web.config would
be no exception.

Thanks again for the responses!
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:Ov**************@TK2MSFTNGP09.phx.gbl...
we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl...
but in that rationale NOTHING is secure. Since the web.config is text it
has
a security risk, but the thing is they would need file level access to the server, which if they have the contents of the web.config are
irrelevant anyway since they can already do/see what they want reguardless of where it
is.

--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl...
> well that appears to be something that we will have to explore - petition
to
> have it be allowed, but that would only get us for the specific .NET
> functionality. Application stuff would still need to be sent off to
another
> config file...
>
> I would think they would have to know since they will be hosting
this site.
> BUT I just think they are being difficult right now...
>
> the other thing is that in certain places, Microsoft has said that the > web.config is not enitirely secure because connection strings,

assembly > information and such can be put in there. As soon as a gov't agency

sees
> "not secure" they say no, no matter what the reasoning or information is
> behind that claim.
>
>
> "William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
> news:OM***************@TK2MSFTNGP10.phx.gbl...
> > Does the government agency understand that it is hard coded into
IIS not
> to
> > server web.config files, ever, never, forever?
> >
> > bill
> >
> > (or atleast that is the tout by Microsoft)
> >
> > "mike" <so*****@somewhere.com> wrote in message
> > news:O%****************@TK2MSFTNGP10.phx.gbl...
> > > Part of the clients requirement is that all config files must be
located
> > > outside of the web directory.
> > >
> > > DoD and government orgs seems to not like configuration files

anywhere
> > near
> > > the virtual directory for security reasons.
> > >
> > > you would have thought that MS would have allowed you to specify

a path
> to
> > > where that is....
> > >
> > > I am at a loss as to what to do now... I have a lot of things

that use
> > the
> > > web.config.
> > >
> > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > news:e8***************@TK2MSFTNGP10.phx.gbl...
> > > > no.
> > > > it MUST be in the root of the site/vd.
> > > > You can have more of them in subsequent folders to override

settings
> > > though.
> > > > Why though? why move it out of the site? It's not accessible from the
> > > > outside
> > > >
> > > > --
> > > > Curt Christianson
> > > > Owner/Lead Developer, DF-Software
> > > > Site: http://www.Darkfalz.com
> > > > Blog: http://blog.Darkfalz.com
> > > >
> > > >
> > > > "mike" <so*****@somewhere.com> wrote in message
> > > > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > > > Is it possible to move the web.config out of the application
folder?
> > I
> > > > > would like it off somewhere out of the web directory
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.