asp.net web config security

Question

I am thinking about the security of a web config file in an asp.net application, from the point of view that a web config file often contains that connection string to an applications database, and so security is important.

In an asp.net application, a connection string may be retrieved from a web config file using:

ConfigurationManager.ConnectionStrings["connectionstring"]

Assuming someone new the key for the connection string, are they able to somehow send that request to the server and get a response, or is there some sort of security that will prevent this happening.

If they are able to do so, how could they do this and what could be done to prevent this eg encrypting the connection string?

EDIT: this is not a duplicate of the question Encrypting Connection String in web.config as my question is asking if it is possible to trick the server into giving this information out, and if so how can we prevent it. The named question is asking how to encrypt the data, which is related but not the same

Answer 1

ASP.NET will never serve out the web.config file (or any other .config file) via HTTP, so the answer is no, you should not worry about that.

If you are still worried about the contents of the web.config file being somehow exposed, have a look into encrypting the file.

Regarding the connection strings in particular, you could also use Integrated security, that way, you don't even have to expose the DB user/pass in the connection string.

https://msdn.microsoft.com/en-us/library/bsz5788z%28v=vs.140%29.aspx

Answer 2

IIS by default is configured not to serve files of certain types, one default type included in this list is any file with the .config extension. It is however possible that an administrator will make the mistake of renaming web.config to a type that is served, say, for example, web.old whilst they test different configuration settings, and this would mean that it could in fact be served. Similarly, it's simply possible that someone mistakenly is maliciously removes .config types from the filter of IIS types that are not served.

As such, recommended practice is to encrypt config files or sections. Microsoft provide one such method for doing this as standard, and it is fully described, and explained in the other question that you linked to:

https://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.140%29.aspx

The list of served types for a particular IIS instance can be found in the "File Name Extensions" tab of Request Filtering in the IIS manager of IIS7+.

Answer 3

Considering that you are using asp.net application, the user should not have access to web.config.

As long as you do not make the "connectionstring" replaceable or ConfigurationManager.ConnectionStrings["connectionstring"] data exposed, it should be fine.