I would like to lock down the web.config file as much as possible, so that as few accounts as necessary can read the file. I saw the list here http://msdn.microsoft.com/en-us/library/ms178699.aspx but allowing the Users group read permission on the web.config file seems excessive. Thanks.
Asked
Active
Viewed 3,526 times
1
-
Lock it down from whom? Internal users, local access on the machine, internet users? – GregD Sep 23 '09 at 22:30
2 Answers
1
The Users group would of course apply to the local machine. What are you worried about them reading in the web.config? If it's your connection strings, you can encrypt those.
GregD
- 8,713
- 1
- 24
- 36
0
You do have to worry about users reading web.config files. Especially, if you are allowing users access to your file system.
I've tried removing user permissions to the web.config and allowing only the anonymous IIS account and the IIS app pool process account access to the file, and the application still works.
Encrypting the files on top of that will probably help even more, as well. If anyone has an official solution on this, please let us know.