would like it off somewhere out of the web directoryno.
it MUST be in the root of the site/vd.
You can have more of them in subsequent folders to override settings though.
Why though? why move it out of the site? It's not accessible from the
outside
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <someone@.somewhere.com> wrote in message
news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> Is it possible to move the web.config out of the application folder? I
> would like it off somewhere out of the web directory
Part of the clients requirement is that all config files must be located
outside of the web directory.
DoD and government orgs seems to not like configuration files anywhere near
the virtual directory for security reasons.
you would have thought that MS would have allowed you to specify a path to
where that is...
I am at a loss as to what to do now... I have a lot of things that use the
web.config.
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> no.
> it MUST be in the root of the site/vd.
> You can have more of them in subsequent folders to override settings
though.
> Why though? why move it out of the site? It's not accessible from the
> outside
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
> "mike" <someone@.somewhere.com> wrote in message
> news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > Is it possible to move the web.config out of the application folder? I
> > would like it off somewhere out of the web directory
just dont put anything in the web.config of value. Move it up to the
machine.config (of course it will run in all sites) or put the info into
another file type and manually do your processing. It will be a nightmare
though.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <someone@.somewhere.com> wrote in message
news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> Part of the clients requirement is that all config files must be located
> outside of the web directory.
> DoD and government orgs seems to not like configuration files anywhere
near
> the virtual directory for security reasons.
> you would have thought that MS would have allowed you to specify a path to
> where that is...
> I am at a loss as to what to do now... I have a lot of things that use
the
> web.config.
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > no.
> > it MUST be in the root of the site/vd.
> > You can have more of them in subsequent folders to override settings
> though.
> > Why though? why move it out of the site? It's not accessible from the
> > outside
> > --
> > Curt Christianson
> > Owner/Lead Developer, DF-Software
> > Site: http://www.Darkfalz.com
> > Blog: http://blog.Darkfalz.com
> > "mike" <someone@.somewhere.com> wrote in message
> > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > Is it possible to move the web.config out of the application folder?
I
> > > would like it off somewhere out of the web directory
> >
fan-freaking-tastic - as you can tell I am excited by the notion of
stripping all that stuff out...
Thanks for your help...
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:%235MytsDOEHA.3476@.TK2MSFTNGP09.phx.gbl...
> just dont put anything in the web.config of value. Move it up to the
> machine.config (of course it will run in all sites) or put the info into
> another file type and manually do your processing. It will be a nightmare
> though.
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
> "mike" <someone@.somewhere.com> wrote in message
> news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > Part of the clients requirement is that all config files must be located
> > outside of the web directory.
> > DoD and government orgs seems to not like configuration files anywhere
> near
> > the virtual directory for security reasons.
> > you would have thought that MS would have allowed you to specify a path
to
> > where that is...
> > I am at a loss as to what to do now... I have a lot of things that use
> the
> > web.config.
> > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > no.
> > > it MUST be in the root of the site/vd.
> > > You can have more of them in subsequent folders to override settings
> > though.
> > > Why though? why move it out of the site? It's not accessible from the
> > > outside
> > > > --
> > > Curt Christianson
> > > Owner/Lead Developer, DF-Software
> > > Site: http://www.Darkfalz.com
> > > Blog: http://blog.Darkfalz.com
> > > > > "mike" <someone@.somewhere.com> wrote in message
> > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > Is it possible to move the web.config out of the application folder?
> I
> > > > would like it off somewhere out of the web directory
> > > > > >
Does the government agency understand that it is hard coded into IIS not to
server web.config files, ever, never, forever?
bill
(or atleast that is the tout by Microsoft)
"mike" <someone@.somewhere.com> wrote in message
news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> Part of the clients requirement is that all config files must be located
> outside of the web directory.
> DoD and government orgs seems to not like configuration files anywhere
near
> the virtual directory for security reasons.
> you would have thought that MS would have allowed you to specify a path to
> where that is...
> I am at a loss as to what to do now... I have a lot of things that use
the
> web.config.
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > no.
> > it MUST be in the root of the site/vd.
> > You can have more of them in subsequent folders to override settings
> though.
> > Why though? why move it out of the site? It's not accessible from the
> > outside
> > --
> > Curt Christianson
> > Owner/Lead Developer, DF-Software
> > Site: http://www.Darkfalz.com
> > Blog: http://blog.Darkfalz.com
> > "mike" <someone@.somewhere.com> wrote in message
> > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > Is it possible to move the web.config out of the application folder?
I
> > > would like it off somewhere out of the web directory
> >
well that appears to be something that we will have to explore - petition to
have it be allowed, but that would only get us for the specific .NET
functionality. Application stuff would still need to be sent off to another
config file...
I would think they would have to know since they will be hosting this site.
BUT I just think they are being difficult right now...
the other thing is that in certain places, Microsoft has said that the
web.config is not enitirely secure because connection strings, assembly
information and such can be put in there. As soon as a gov't agency sees
"not secure" they say no, no matter what the reasoning or information is
behind that claim.
"William F. Robertson, Jr." <wfrobertson@.kpmg.com> wrote in message
news:OMpr%23AEOEHA.484@.TK2MSFTNGP10.phx.gbl...
> Does the government agency understand that it is hard coded into IIS not
to
> server web.config files, ever, never, forever?
> bill
> (or atleast that is the tout by Microsoft)
> "mike" <someone@.somewhere.com> wrote in message
> news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > Part of the clients requirement is that all config files must be located
> > outside of the web directory.
> > DoD and government orgs seems to not like configuration files anywhere
> near
> > the virtual directory for security reasons.
> > you would have thought that MS would have allowed you to specify a path
to
> > where that is...
> > I am at a loss as to what to do now... I have a lot of things that use
> the
> > web.config.
> > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > no.
> > > it MUST be in the root of the site/vd.
> > > You can have more of them in subsequent folders to override settings
> > though.
> > > Why though? why move it out of the site? It's not accessible from the
> > > outside
> > > > --
> > > Curt Christianson
> > > Owner/Lead Developer, DF-Software
> > > Site: http://www.Darkfalz.com
> > > Blog: http://blog.Darkfalz.com
> > > > > "mike" <someone@.somewhere.com> wrote in message
> > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > Is it possible to move the web.config out of the application folder?
> I
> > > > would like it off somewhere out of the web directory
> > > > > >
but in that rationale NOTHING is secure. Since the web.config is text it has
a security risk, but the thing is they would need file level access to the
server, which if they have the contents of the web.config are irrelevant
anyway since they can already do/see what they want reguardless of where it
is.
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <someone@.somewhere.com> wrote in message
news:uKQdzMEOEHA.2716@.tk2msftngp13.phx.gbl...
> well that appears to be something that we will have to explore - petition
to
> have it be allowed, but that would only get us for the specific .NET
> functionality. Application stuff would still need to be sent off to
another
> config file...
> I would think they would have to know since they will be hosting this
site.
> BUT I just think they are being difficult right now...
> the other thing is that in certain places, Microsoft has said that the
> web.config is not enitirely secure because connection strings, assembly
> information and such can be put in there. As soon as a gov't agency sees
> "not secure" they say no, no matter what the reasoning or information is
> behind that claim.
>
> "William F. Robertson, Jr." <wfrobertson@.kpmg.com> wrote in message
> news:OMpr%23AEOEHA.484@.TK2MSFTNGP10.phx.gbl...
> > Does the government agency understand that it is hard coded into IIS not
> to
> > server web.config files, ever, never, forever?
> > bill
> > (or atleast that is the tout by Microsoft)
> > "mike" <someone@.somewhere.com> wrote in message
> > news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > > Part of the clients requirement is that all config files must be
located
> > > outside of the web directory.
> > > > DoD and government orgs seems to not like configuration files anywhere
> > near
> > > the virtual directory for security reasons.
> > > > you would have thought that MS would have allowed you to specify a
path
> to
> > > where that is...
> > > > I am at a loss as to what to do now... I have a lot of things that
use
> > the
> > > web.config.
> > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > > no.
> > > > it MUST be in the root of the site/vd.
> > > > You can have more of them in subsequent folders to override settings
> > > though.
> > > > Why though? why move it out of the site? It's not accessible from
the
> > > > outside
> > > > > > --
> > > > Curt Christianson
> > > > Owner/Lead Developer, DF-Software
> > > > Site: http://www.Darkfalz.com
> > > > Blog: http://blog.Darkfalz.com
> > > > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > > Is it possible to move the web.config out of the application
folder?
> > I
> > > > > would like it off somewhere out of the web directory
> > > > > > > > > > > >
I agree - I see the web.config as a safe mechanism for storing data - I
would feel safer if registry keys are used for configuration strings and
maybe a few other things. But if there is a guarantee that the config
cannot be served and it has file level security against it being viewed by
just anyone, I dont think that you can offer any more security - I believe
the security policy for gov't apps just has not evolved to the .NET
application and we are struggling with that transition period...
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:udvJTlEOEHA.1276@.TK2MSFTNGP11.phx.gbl...
> but in that rationale NOTHING is secure. Since the web.config is text it
has
> a security risk, but the thing is they would need file level access to the
> server, which if they have the contents of the web.config are irrelevant
> anyway since they can already do/see what they want reguardless of where
it
> is.
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
> "mike" <someone@.somewhere.com> wrote in message
> news:uKQdzMEOEHA.2716@.tk2msftngp13.phx.gbl...
> > well that appears to be something that we will have to explore -
petition
> to
> > have it be allowed, but that would only get us for the specific .NET
> > functionality. Application stuff would still need to be sent off to
> another
> > config file...
> > I would think they would have to know since they will be hosting this
> site.
> > BUT I just think they are being difficult right now...
> > the other thing is that in certain places, Microsoft has said that the
> > web.config is not enitirely secure because connection strings, assembly
> > information and such can be put in there. As soon as a gov't agency
sees
> > "not secure" they say no, no matter what the reasoning or information is
> > behind that claim.
> > "William F. Robertson, Jr." <wfrobertson@.kpmg.com> wrote in message
> > news:OMpr%23AEOEHA.484@.TK2MSFTNGP10.phx.gbl...
> > > Does the government agency understand that it is hard coded into IIS
not
> > to
> > > server web.config files, ever, never, forever?
> > > > bill
> > > > (or atleast that is the tout by Microsoft)
> > > > "mike" <someone@.somewhere.com> wrote in message
> > > news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > > > Part of the clients requirement is that all config files must be
> located
> > > > outside of the web directory.
> > > > > > DoD and government orgs seems to not like configuration files
anywhere
> > > near
> > > > the virtual directory for security reasons.
> > > > > > you would have thought that MS would have allowed you to specify a
> path
> > to
> > > > where that is...
> > > > > > I am at a loss as to what to do now... I have a lot of things that
> use
> > > the
> > > > web.config.
> > > > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > > > no.
> > > > > it MUST be in the root of the site/vd.
> > > > > You can have more of them in subsequent folders to override
settings
> > > > though.
> > > > > Why though? why move it out of the site? It's not accessible from
> the
> > > > > outside
> > > > > > > > --
> > > > > Curt Christianson
> > > > > Owner/Lead Developer, DF-Software
> > > > > Site: http://www.Darkfalz.com
> > > > > Blog: http://blog.Darkfalz.com
> > > > > > > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > > > Is it possible to move the web.config out of the application
> folder?
> > > I
> > > > > > would like it off somewhere out of the web directory
> > > > > > > > > > > > > > > > > > > >
we encrypt the values in the web.config, as they pertain to connection
strings and such.
Just use an encryption class and decrypt when using them. Much better
feeling of security too :}
--
Curt Christianson
Owner/Lead Developer, DF-Software
Site: http://www.Darkfalz.com
Blog: http://blog.Darkfalz.com
"mike" <someone@.somewhere.com> wrote in message
news:%23Z35kxEOEHA.2244@.tk2msftngp13.phx.gbl...
> I agree - I see the web.config as a safe mechanism for storing data - I
> would feel safer if registry keys are used for configuration strings and
> maybe a few other things. But if there is a guarantee that the config
> cannot be served and it has file level security against it being viewed by
> just anyone, I dont think that you can offer any more security - I believe
> the security policy for gov't apps just has not evolved to the .NET
> application and we are struggling with that transition period...
>
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:udvJTlEOEHA.1276@.TK2MSFTNGP11.phx.gbl...
> > but in that rationale NOTHING is secure. Since the web.config is text it
> has
> > a security risk, but the thing is they would need file level access to
the
> > server, which if they have the contents of the web.config are irrelevant
> > anyway since they can already do/see what they want reguardless of where
> it
> > is.
> > --
> > Curt Christianson
> > Owner/Lead Developer, DF-Software
> > Site: http://www.Darkfalz.com
> > Blog: http://blog.Darkfalz.com
> > "mike" <someone@.somewhere.com> wrote in message
> > news:uKQdzMEOEHA.2716@.tk2msftngp13.phx.gbl...
> > > well that appears to be something that we will have to explore -
> petition
> > to
> > > have it be allowed, but that would only get us for the specific .NET
> > > functionality. Application stuff would still need to be sent off to
> > another
> > > config file...
> > > > I would think they would have to know since they will be hosting this
> > site.
> > > BUT I just think they are being difficult right now...
> > > > the other thing is that in certain places, Microsoft has said that the
> > > web.config is not enitirely secure because connection strings,
assembly
> > > information and such can be put in there. As soon as a gov't agency
> sees
> > > "not secure" they say no, no matter what the reasoning or information
is
> > > behind that claim.
> > > > > "William F. Robertson, Jr." <wfrobertson@.kpmg.com> wrote in message
> > > news:OMpr%23AEOEHA.484@.TK2MSFTNGP10.phx.gbl...
> > > > Does the government agency understand that it is hard coded into IIS
> not
> > > to
> > > > server web.config files, ever, never, forever?
> > > > > > bill
> > > > > > (or atleast that is the tout by Microsoft)
> > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > > > > Part of the clients requirement is that all config files must be
> > located
> > > > > outside of the web directory.
> > > > > > > > DoD and government orgs seems to not like configuration files
> anywhere
> > > > near
> > > > > the virtual directory for security reasons.
> > > > > > > > you would have thought that MS would have allowed you to specify a
> > path
> > > to
> > > > > where that is...
> > > > > > > > I am at a loss as to what to do now... I have a lot of things
that
> > use
> > > > the
> > > > > web.config.
> > > > > > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > > > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > > > > no.
> > > > > > it MUST be in the root of the site/vd.
> > > > > > You can have more of them in subsequent folders to override
> settings
> > > > > though.
> > > > > > Why though? why move it out of the site? It's not accessible
from
> > the
> > > > > > outside
> > > > > > > > > > --
> > > > > > Curt Christianson
> > > > > > Owner/Lead Developer, DF-Software
> > > > > > Site: http://www.Darkfalz.com
> > > > > > Blog: http://blog.Darkfalz.com
> > > > > > > > > > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > > > > Is it possible to move the web.config out of the application
> > folder?
> > > > I
> > > > > > > would like it off somewhere out of the web directory
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
That is another thing that we have to do as part of the requirements. All
configuration files must be encrypted, so I am guessing the web.config would
be no exception.
Thanks again for the responses!
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:OvqE08EOEHA.3348@.TK2MSFTNGP09.phx.gbl...
> we encrypt the values in the web.config, as they pertain to connection
> strings and such.
> Just use an encryption class and decrypt when using them. Much better
> feeling of security too :}
> --
> Curt Christianson
> Owner/Lead Developer, DF-Software
> Site: http://www.Darkfalz.com
> Blog: http://blog.Darkfalz.com
>
> "mike" <someone@.somewhere.com> wrote in message
> news:%23Z35kxEOEHA.2244@.tk2msftngp13.phx.gbl...
> > I agree - I see the web.config as a safe mechanism for storing data - I
> > would feel safer if registry keys are used for configuration strings and
> > maybe a few other things. But if there is a guarantee that the config
> > cannot be served and it has file level security against it being viewed
by
> > just anyone, I dont think that you can offer any more security - I
believe
> > the security policy for gov't apps just has not evolved to the .NET
> > application and we are struggling with that transition period...
> > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > news:udvJTlEOEHA.1276@.TK2MSFTNGP11.phx.gbl...
> > > but in that rationale NOTHING is secure. Since the web.config is text
it
> > has
> > > a security risk, but the thing is they would need file level access to
> the
> > > server, which if they have the contents of the web.config are
irrelevant
> > > anyway since they can already do/see what they want reguardless of
where
> > it
> > > is.
> > > > --
> > > Curt Christianson
> > > Owner/Lead Developer, DF-Software
> > > Site: http://www.Darkfalz.com
> > > Blog: http://blog.Darkfalz.com
> > > > > "mike" <someone@.somewhere.com> wrote in message
> > > news:uKQdzMEOEHA.2716@.tk2msftngp13.phx.gbl...
> > > > well that appears to be something that we will have to explore -
> > petition
> > > to
> > > > have it be allowed, but that would only get us for the specific .NET
> > > > functionality. Application stuff would still need to be sent off to
> > > another
> > > > config file...
> > > > > > I would think they would have to know since they will be hosting
this
> > > site.
> > > > BUT I just think they are being difficult right now...
> > > > > > the other thing is that in certain places, Microsoft has said that
the
> > > > web.config is not enitirely secure because connection strings,
> assembly
> > > > information and such can be put in there. As soon as a gov't agency
> > sees
> > > > "not secure" they say no, no matter what the reasoning or
information
> is
> > > > behind that claim.
> > > > > > > > "William F. Robertson, Jr." <wfrobertson@.kpmg.com> wrote in message
> > > > news:OMpr%23AEOEHA.484@.TK2MSFTNGP10.phx.gbl...
> > > > > Does the government agency understand that it is hard coded into
IIS
> > not
> > > > to
> > > > > server web.config files, ever, never, forever?
> > > > > > > > bill
> > > > > > > > (or atleast that is the tout by Microsoft)
> > > > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > > news:O%2385tgDOEHA.3832@.TK2MSFTNGP10.phx.gbl...
> > > > > > Part of the clients requirement is that all config files must be
> > > located
> > > > > > outside of the web directory.
> > > > > > > > > > DoD and government orgs seems to not like configuration files
> > anywhere
> > > > > near
> > > > > > the virtual directory for security reasons.
> > > > > > > > > > you would have thought that MS would have allowed you to specify
a
> > > path
> > > > to
> > > > > > where that is...
> > > > > > > > > > I am at a loss as to what to do now... I have a lot of things
> that
> > > use
> > > > > the
> > > > > > web.config.
> > > > > > > > > > "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> > > > > > news:e8fM%23cDOEHA.620@.TK2MSFTNGP10.phx.gbl...
> > > > > > > no.
> > > > > > > it MUST be in the root of the site/vd.
> > > > > > > You can have more of them in subsequent folders to override
> > settings
> > > > > > though.
> > > > > > > Why though? why move it out of the site? It's not accessible
> from
> > > the
> > > > > > > outside
> > > > > > > > > > > > --
> > > > > > > Curt Christianson
> > > > > > > Owner/Lead Developer, DF-Software
> > > > > > > Site: http://www.Darkfalz.com
> > > > > > > Blog: http://blog.Darkfalz.com
> > > > > > > > > > > > > > > > > "mike" <someone@.somewhere.com> wrote in message
> > > > > > > news:ujqlaYDOEHA.3380@.TK2MSFTNGP11.phx.gbl...
> > > > > > > > Is it possible to move the web.config out of the application
> > > folder?
> > > > > I
> > > > > > > > would like it off somewhere out of the web directory
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
0 comments:
Post a Comment