Wednesday, May 11, 2011

Protecting Web.config Files

Just a heads up that you want to be careful when changing web.config files around. Like you, I like to put .old or .bak or something on the end of files sometimes so it won’t be used by the system and so I have a backup in case I want to revert back to that version. One nice thing ASP.NET does for you is not allow .config files to be pulled up directly in a browser. It blocks requests for files ending in ".config". However, IIS/ASP.NET does not protect .old and .bak the same way. It will be served up unless you turn that extension off in other config files and IIS. There are your sql connection strings in plain sight (most of us don’t encrypt the connection string section in all cases like we should). Better to just make a local copy and make sure you don’t have any remnants, test files or backups in Production.

The first step in hacking a site is getting the layout and landscape. They will find your .txt files with code segments, your .old and .bak files, etc. Don't make it easy for them...keep that stuff off of your production servers, internet and intranet.