473,406 Members | 2,710 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > identity impersonation definition in web.config

Join Bytes to post your question to a community of 473,406 software developers and data experts.

identity impersonation definition in web.config

I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

Feb 1 '07 #1
4 10774
yes. see aspnet_regiis.exe utility. also if you use iis 6.0 you can use
an application pool instead of specifying the impersonation in web.config.

-- bruce (sqlwork.com)

Saqib Ali wrote:
I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net
Feb 1 '07 #2
You can encrypt certain web.config sections with RSA and other protocols.
I doubt the <identity--element is one of them, but you could certainly
store the information in an encryptable one provided you can figure out a way
to set the credentials of your app programatically using this info.

If anybody with "an account" on the server could cause you so much grief,
maybe its time to review your whole security paradigm.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"Saqib Ali" wrote:
I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

Feb 1 '07 #3
If you are using .Net 2.0 you can in fact encrypt the username and password
but you have to keep in mind it would still get decrypted to be used. Any
text in memory can actually be seen by other code if code security is not
carefully planned. All text ends up in memory so unencrypting it is
superficial. I'd make sure my file security prevents access to that web
config file.

If you are concerned about saving the password in the config file you may
actually have a much bigger problem. No one should have access to that file
in production other than an administrator.

What I sometimes prefer to do is have an administrator actually use what is
know as cached credentials and manually enter the account information that
the application will run under. The operating system will actually use
operating system level encryption to store the credentials.

You'll have to hunt down the exact admin steps to set that up becuase it
depends on your situation.

Hope it helps,
Timothy Paul Narron

"Saqib Ali" <do*********@gmail.comwrote in message
news:11**********************@m58g2000cwm.googlegr oups.com...
>I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

Feb 1 '07 #4
I am a bit new to this whole process. Where can I find more info about the
identity impersonation. I know how to set it up (heck, I have to set it up.
otherwise when I publish my site it won't work).

My question is, why do I have to do this to begin with?

If I remember correctly, I did not have to do it until I went ahead and
encrypted the web.config file. At that point the published site did not
work anymore, unless I impersonated a user, even though I unencrypted the
web.config file


"Saqib Ali" <do*********@gmail.comwrote in message
news:11**********************@m58g2000cwm.googlegr oups.com...
>I have some security concerns over storing a Active Directory username/
passwd in a text based web.config file for the identity impersonation
definition.

I know that web.conf is not accessible via the web browser, however
someone with account on the server can get to the file and steal the
credentials.

Is there a way to hash the username/password for identity
impersonation definition, or define it elsewhere where it is not
accessible to the server administrator/operators?

Thanks
saqib
http://www.full-disk-encryption.net

Mar 6 '07 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
Issue with ASP.NET client, COM Interop, and Identity impersonation
by: Anil Krishnamurthy | last post by:
We have an ASP.NET application that uses COM objects through Interop. The web application requires access to network and database resources and hence, needs to impersonate a domain account. The...
.NET Framework
7
Identity System
by: Arran Pearce | last post by:
Hi, How can i get my ASP Page or Web Service to run as the LocalSystem rather than a user? cheers
ASP.NET
1
Identity Impersonation question.
by: Peter Johansen | last post by:
Hi, I have a server that I use for shared hosting. For security reasons, I set <identity impersonate="true" /> in my machine.config file, and set allowOverRide="false" to prevent individual webs...
ASP.NET
3
Machine.Config -- ProcessModel vs Identity Impersonation
by: Wm. Scott Miller | last post by:
What is the difference between using a username and password in the processmodel section vs using one in impersonation in the machine.config file? What are the advantages of each and what are the...
ASP.NET
8
Error casting User.Identity to WindowsIdentity
by: Razak | last post by:
Hi, I have a class which basically do Impersonation in my web application. From MS KB sample:- ++++++++++++++++++++code starts Dim impersonationContext As...
ASP.NET
8
Global.asax not allowing identity impersonation?
by: Doug | last post by:
Visual Studio 2005, SQL Server 2000, ASP.NET/VB.NET Not allowed to use the ASPNET machine account in SQL Server (very strict environment). Need to use Windows authentication, so we use...
ASP.NET
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!