Connection string password in clear text in ASP.NET Config Setting

#1

We have encrypted the connection string in web.config, however if you look at
ASP.NET Configuration Settings in IIS Manager, the connection string
including the password is there in clear text.

Does anyone know how to avoid this?
Thanks!

#2

The configuration plumbing in the CLR decrypts settings as code calls the
APIs to read the values. This allows the code to not know/care that a value
was encrypted. The UI you're referring to calls the same APIs. Why is this
an issue? Presumably an admin is the only one that would have access to the
IIS config tool, and the admin is the person you're supposed to trust to
configure your app.

-Brock
http://staff.develop.com/ballen

Quote:

We have encrypted the connection string in web.config, however if you
look at ASP.NET Configuration Settings in IIS Manager, the connection
string including the password is there in clear text.

Does anyone know how to avoid this?
Thanks!

#3

Agreed that it is not a huge security risk. However we do have customers who
would find passwords displayed in clear text totally unacceptable wherever
they're displayed

"Brock Allen" wrote:

Quote:

The configuration plumbing in the CLR decrypts settings as code calls the
APIs to read the values. This allows the code to not know/care that a value
was encrypted. The UI you're referring to calls the same APIs. Why is this
an issue? Presumably an admin is the only one that would have access to the
IIS config tool, and the admin is the person you're supposed to trust to
configure your app.

-Brock
http://staff.develop.com/ballen

We have encrypted the connection string in web.config, however if you
look at ASP.NET Configuration Settings in IIS Manager, the connection
string including the password is there in clear text.

Does anyone know how to avoid this?
Thanks!

#4

This would be a great situation to provide product feedback to MSFT:

http://msdn.microsoft.com/productfeedback/

-Brock
http://staff.develop.com/ballen

Quote:

Agreed that it is not a huge security risk. However we do have
customers who would find passwords displayed in clear text totally
unacceptable wherever they're displayed

"Brock Allen" wrote:

The configuration plumbing in the CLR decrypts settings as code calls
the APIs to read the values. This allows the code to not know/care
that a value was encrypted. The UI you're referring to calls the same
APIs. Why is this an issue? Presumably an admin is the only one that
would have access to the IIS config tool, and the admin is the person
you're supposed to trust to configure your app.

-Brock
http://staff.develop.com/ballen
We have encrypted the connection string in web.config, however if
you look at ASP.NET Configuration Settings in IIS Manager, the
connection string including the password is there in clear text.

Does anyone know how to avoid this?
Thanks!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Connection string password in clear text in ASP.NET Config Setting

ASP.net Caching microsoft.public.dotnet.framework.aspnet.caching

Connection string password in clear text in ASP.NET Config Setting - 06-07-2006 , 03:19 PM

Re: Connection string password in clear text in ASP.NET Config Setting - 06-08-2006 , 10:19 AM

Re: Connection string password in clear text in ASP.NET Config Set - 06-08-2006 , 01:24 PM

Re: Connection string password in clear text in ASP.NET Config Set - 06-09-2006 , 02:04 AM