In an attempt to make it easy for an administrator to modify the groups users are authorised against in my ASP .NET MVC web application, I have put group names in my Web.config as appSettings.
<add key="User" value="VDP ICMD Users"/>
<add key="SuperUser" value="VDP ICMD Super Users"/>
<add key="Administrator" value="VDP ICMD Administrator"/>
The values related to actual Active Directory group names. Then in my controllers, using my custom AuthorizeAttribute I can simply write
[AuthorizeAD(GroupKeys = "User")]
My question is, is it bad practice to put sensitive information like the group names in a Web.config file where they can be easily be changed? Is it easy for someone to access the Web.config file other than by logging into the server itself?
If it’s easy or not to access to the web.config it depends of your infraestructure and security policies. It’s not a browseable file so if someone wants to steal the web.config needs to get into your server. (Another option would be a existing or future security hole on the ASP.NET flow, it happened before but we hope this to be the less likely case).
It’s a good practice to store as less sensitive information as possible but it’s really hard to have nothing.
You can encrypt sensible information on your configuration file though. Here you have a walktrough explaining how to do it.