Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory
10  2179 
no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings though.
Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl... Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory
Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere near
the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path to
where that is....
I am at a loss as to what to do now... I have a lot of things that use the
web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl... no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings
though. Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl... Is it possible to move the web.config out of the application folder? I
would like it off somewhere out of the web directory
just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl... Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere
near the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path to
where that is....
I am at a loss as to what to do now... I have a lot of things that use
the web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl... no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings
though. Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl... Is it possible to move the web.config out of the application folder?
I would like it off somewhere out of the web directory
fan-freaking-tastic - as you can tell I am excited by the notion of
stripping all that stuff out....
Thanks for your help....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl... just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl... Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere
near the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path
to where that is....
I am at a loss as to what to do now... I have a lot of things that use
the web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl... no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings
though. Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
> Is it possible to move the web.config out of the application folder?
I > would like it off somewhere out of the web directory
>
>
Does the government agency understand that it is hard coded into IIS not to
server web.config files, ever, never, forever?
bill
(or atleast that is the tout by Microsoft)
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl... Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere
near the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path to
where that is....
I am at a loss as to what to do now... I have a lot of things that use
the web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl... no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings
though. Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl... Is it possible to move the web.config out of the application folder?
I would like it off somewhere out of the web directory
well that appears to be something that we will have to explore - petition to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to another
config file...
I would think they would have to know since they will be hosting this site.
BUT I just think they are being difficult right now...
the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl... Does the government agency understand that it is hard coded into IIS not
to server web.config files, ever, never, forever?
bill
(or atleast that is the tout by Microsoft)
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl... Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere
near the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path
to where that is....
I am at a loss as to what to do now... I have a lot of things that use
the web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl... no.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings
though. Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uj**************@TK2MSFTNGP11.phx.gbl...
> Is it possible to move the web.config out of the application folder?
I > would like it off somewhere out of the web directory
>
>
but in that rationale NOTHING is secure. Since the web.config is text it has
a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where it
is.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl... well that appears to be something that we will have to explore - petition
to have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to
another config file...
I would think they would have to know since they will be hosting this
site. BUT I just think they are being difficult right now...
the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl... Does the government agency understand that it is hard coded into IIS not to server web.config files, ever, never, forever?
bill
(or atleast that is the tout by Microsoft)
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl... Part of the clients requirement is that all config files must be
located outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere
near the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a
path to where that is....
I am at a loss as to what to do now... I have a lot of things that
use the web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8***************@TK2MSFTNGP10.phx.gbl...
> no.
> it MUST be in the root of the site/vd.
> You can have more of them in subsequent folders to override settings
though.
> Why though? why move it out of the site? It's not accessible from
the > outside
>
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
>
> "mike" <so*****@somewhere.com> wrote in message
> news:uj**************@TK2MSFTNGP11.phx.gbl...
> > Is it possible to move the web.config out of the application
folder? I > > would like it off somewhere out of the web directory
> >
> >
>
>
I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl... but in that rationale NOTHING is secure. Since the web.config is text it
has a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where
it is.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl... well that appears to be something that we will have to explore -
petition to have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to
another config file...
I would think they would have to know since they will be hosting this
site. BUT I just think they are being difficult right now...
the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency
sees "not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl... Does the government agency understand that it is hard coded into IIS
not to server web.config files, ever, never, forever?
bill
(or atleast that is the tout by Microsoft)
"mike" <so*****@somewhere.com> wrote in message
news:O%****************@TK2MSFTNGP10.phx.gbl...
> Part of the clients requirement is that all config files must be
located > outside of the web directory.
>
> DoD and government orgs seems to not like configuration files
anywhere near
> the virtual directory for security reasons.
>
> you would have thought that MS would have allowed you to specify a
path to > where that is....
>
> I am at a loss as to what to do now... I have a lot of things that
use the
> web.config.
>
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:e8***************@TK2MSFTNGP10.phx.gbl...
> > no.
> > it MUST be in the root of the site/vd.
> > You can have more of them in subsequent folders to override
settings > though.
> > Why though? why move it out of the site? It's not accessible from the > > outside
> >
> > --
> > Curt Christianson
> > Owner/Lead Developer, DF-Software
> > Site: http://www.Darkfalz.com
> > Blog: http://blog.Darkfalz.com
> >
> >
> > "mike" <so*****@somewhere.com> wrote in message
> > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > Is it possible to move the web.config out of the application folder? I
> > > would like it off somewhere out of the web directory
> > >
> > >
> >
> >
>
>
we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl... I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl... but in that rationale NOTHING is secure. Since the web.config is text it
has a security risk, but the thing is they would need file level access to
the server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where
it is.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl... well that appears to be something that we will have to explore - petition to have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to
another config file...
I would think they would have to know since they will be hosting this
site. BUT I just think they are being difficult right now...
the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings,
assembly information and such can be put in there. As soon as a gov't agency
sees "not secure" they say no, no matter what the reasoning or information
is behind that claim.
"William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
news:OM***************@TK2MSFTNGP10.phx.gbl...
> Does the government agency understand that it is hard coded into IIS not to
> server web.config files, ever, never, forever?
>
> bill
>
> (or atleast that is the tout by Microsoft)
>
> "mike" <so*****@somewhere.com> wrote in message
> news:O%****************@TK2MSFTNGP10.phx.gbl...
> > Part of the clients requirement is that all config files must be
located > > outside of the web directory.
> >
> > DoD and government orgs seems to not like configuration files anywhere > near
> > the virtual directory for security reasons.
> >
> > you would have thought that MS would have allowed you to specify a
path to
> > where that is....
> >
> > I am at a loss as to what to do now... I have a lot of things
that use > the
> > web.config.
> >
> > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > news:e8***************@TK2MSFTNGP10.phx.gbl...
> > > no.
> > > it MUST be in the root of the site/vd.
> > > You can have more of them in subsequent folders to override settings > > though.
> > > Why though? why move it out of the site? It's not accessible
from the > > > outside
> > >
> > > --
> > > Curt Christianson
> > > Owner/Lead Developer, DF-Software
> > > Site: http://www.Darkfalz.com
> > > Blog: http://blog.Darkfalz.com
> > >
> > >
> > > "mike" <so*****@somewhere.com> wrote in message
> > > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > > Is it possible to move the web.config out of the application
folder? > I
> > > > would like it off somewhere out of the web directory
> > > >
> > > >
> > >
> > >
> >
> >
>
>
That is another thing that we have to do as part of the requirements. All
configuration files must be encrypted, so I am guessing the web.config would
be no exception.
Thanks again for the responses!
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:Ov**************@TK2MSFTNGP09.phx.gbl... we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl... I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed
by just anyone, I dont think that you can offer any more security - I
believe the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period....
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:ud**************@TK2MSFTNGP11.phx.gbl... but in that rationale NOTHING is secure. Since the web.config is text
it has a security risk, but the thing is they would need file level access to the server, which if they have the contents of the web.config are
irrelevant anyway since they can already do/see what they want reguardless of
where it is.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <so*****@somewhere.com> wrote in message
news:uK**************@tk2msftngp13.phx.gbl...
> well that appears to be something that we will have to explore - petition to
> have it be allowed, but that would only get us for the specific .NET
> functionality. Application stuff would still need to be sent off to
another
> config file...
>
> I would think they would have to know since they will be hosting
this site.
> BUT I just think they are being difficult right now...
>
> the other thing is that in certain places, Microsoft has said that
the > web.config is not enitirely secure because connection strings,
assembly > information and such can be put in there. As soon as a gov't agency
sees > "not secure" they say no, no matter what the reasoning or
information is > behind that claim.
>
>
> "William F. Robertson, Jr." <wf*********@kpmg.com> wrote in message
> news:OM***************@TK2MSFTNGP10.phx.gbl...
> > Does the government agency understand that it is hard coded into
IIS not > to
> > server web.config files, ever, never, forever?
> >
> > bill
> >
> > (or atleast that is the tout by Microsoft)
> >
> > "mike" <so*****@somewhere.com> wrote in message
> > news:O%****************@TK2MSFTNGP10.phx.gbl...
> > > Part of the clients requirement is that all config files must be
located
> > > outside of the web directory.
> > >
> > > DoD and government orgs seems to not like configuration files
anywhere > > near
> > > the virtual directory for security reasons.
> > >
> > > you would have thought that MS would have allowed you to specify
a path
> to
> > > where that is....
> > >
> > > I am at a loss as to what to do now... I have a lot of things
that use
> > the
> > > web.config.
> > >
> > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > news:e8***************@TK2MSFTNGP10.phx.gbl...
> > > > no.
> > > > it MUST be in the root of the site/vd.
> > > > You can have more of them in subsequent folders to override
settings > > > though.
> > > > Why though? why move it out of the site? It's not accessible from the
> > > > outside
> > > >
> > > > --
> > > > Curt Christianson
> > > > Owner/Lead Developer, DF-Software
> > > > Site: http://www.Darkfalz.com
> > > > Blog: http://blog.Darkfalz.com
> > > >
> > > >
> > > > "mike" <so*****@somewhere.com> wrote in message
> > > > news:uj**************@TK2MSFTNGP11.phx.gbl...
> > > > > Is it possible to move the web.config out of the application
folder?
> > I
> > > > > would like it off somewhere out of the web directory
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Suresh Gladstone |
last post by:
Hi,
This is a bit with versioning and installation of
the .NET dlls. I want to perform the following,
1. A third party application will be invoking my .NET dll
through COM interop . For this I...
|
by: Simon Harvey |
last post by:
Hi chaps,
Can someone tell me the following:
If I declare a site wide config file and then want to overide it in a secure
directory, do I need to have a complete config file, or can I just...
|
by: BPearson |
last post by:
Hello
I would like to have several sites share a single web.config file. To accomplish this, I would point the root of these sites to the same folder. Is there any reason why I might not want to...
|
by: Bennett Haselton |
last post by:
If I add this to my web.config file:
<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>
I can configure the...
|
by: Benny Ng |
last post by:
Hi,all,
How to let the sub-directory to avoid the authentication control from Root's
webconfig?
I heard that we can add a new web.config to the sub-directory. And then we
can slove the problem....
|
by: Eric Sabine |
last post by:
This situation requres many exes to be sitting on a network share. I would
like all of these to use the same app.config file, which will be stored in
the same location on the network. A quick...
|
by: Khodr |
last post by:
Hello,
I am using VS.NET 2003 and vb. I build my application MyApp and it generates
MyApp.exe.config. So now MyApp.exe reads parameters from MyApp.exe.config.
Great and no problem!
I need to...
|
by: Andrew |
last post by:
Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The...
|
by: mmcd79 |
last post by:
I built a VB.net application that makes use of a machine level DB
connection string setting, and a user level starting location setting.
The machine level setting and the default user based...
|
by: Andrus |
last post by:
..NET 2 Winforms application.
How to create new setting and set it default value in userSettings section
of app.config file or overwrite existing setting value ?
I found code below in this list...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
