Q:
I want to ask if publishing the .cs and the .aspx files on my server during web application publishing process considered as a bad practice and may cause security violation or not?
because sometimes i have to do this because the report files doesn't published or the css files doesn't work properly .
When to use each option of those:
Only files needed to run this application.
All project files.
All files in the source project folder
This may be a misapplication of the principle, but I always think of the principle of least privilege. By that, I mean:
Do my users need to see any code files (applicable under both "All project files and "All files in the source project folder"?
Do my users need to see any files in my project folder, but not included in my project (applicable under "All files in the source project folder")?
If the answer to those questions is no, then I publish using only files needed to run this application.
I once made the mistake of publishing a website using "All files in the source project folder", because I needed to deploy a bunch of .css and .js files from a plug-in I used, and didn't know how to quickly include those files in my web project.
However, as soon as I saw all my source code show up in my production folder, I quickly switched my publish option back to "Only files needed to run this application", and deployed deleting all files in the target folder. Then, I looked around to find a way to include all files in a folder that was not in my project, and I've been happier since.
Honestly, even if my users needed to see code of some sort, I'd consider writing a quine before I'd publish copies of my .cs file on any website. People have differing opinions about Internet security, but I often think of this quote from Gene Spafford:
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
If you look around here, you'll find various questions where users are trying to safely encrypt/decrypt connection strings, store data securely in their programs (or databases), and are otherwise trying their best to keep anyone -- even their most trusted users -- from getting access they otherwise shouldn't have.
As unlikely as it might be that a malicious user would try to access the files on your server, I can tell you that it's a lot harder for a malicious user to access the files on my server, because those files don't exist on my server.
Ensure your IIS settings mean that .cs files are not served publicly. This should be the same with any sensitive or non-public filetypes, such as .config.
.aspx files contain your markup, so are typically fine to publish and serve publicly.
Related
Visual Studio 2015 has moved the IIS Express configuration file from My Documents into its own hidden .vs directory and tells IISExpress.exe to use that configuration file.
While this may sound like a good idea when you have multiple web applications with conflicting configurations, in fact it's not when you have web applications with custom configurations at all. Because this config file is in a temporary directory which can be deleted when checking out code into a new location from source control, or when cleaning up things in general.
The old location in the Documents folder is a central location and files there usually won't be deleted. If I need to make some changes to this file, like allowing the application to use Windows authentication, I edit this file once and I'm done. Now with the new location, I may need to make these changes multiple times. And since there's two config files (the old location still exists for me), it's even more confusing.
Then you shouldn't commit anything from .vs into version control, so it's not even possible to share these customisations with other team members.
What is the recommended way to update the applicationhost.config file so that it provides the environment required by the web application? Is there a tool that can run in a pre/post build step? Is there a customisation XML file that can be merged into the default file from .vs?
Is it possible at all to just check out a web application from source control and let it work in a local IIS Express? Or will it always require manual corrections after getting the code and web.config?
PS: I've forgotten one thing: There's the <UseGlobalApplicationHostFile> element in the project file which can be set to true, but as soon as I do that, I get an access denied error message every time I want to start the web application. So that doesn't seem to work well.
When developing for asp.net using visual studio for web, it is really convenient that when you deploy your website to the web server, it will cleverly check which files have been changed and only upload those files. In addition, if you deleted some files from your source, it detects that too and deletes those files from the web server since they are no longer needed.
I started developing with the LAMP stack and am wondering how you can deploy to a web server in a similar way.
I tried using Filezilla and on copy/pasting the source files to the web server, you have these options if there are similar files:
-Overwrite
-Overwrite if source is newer
-Overwrite if different size
-Overwrite if different size or source newer
"Overwrite if source is newer" works, kind of, but it only checks the date modified, not the content of the file. Also, the above method does not delete files from the web server that were deleted from the source.
Is there a better way to do this with Filezilla? (or maybe use some other program?)
Thanks.
You can use rsync to accomplish this.
When you want to push out changes you would do something like this form your production server.
rysnc -av user#<developmentIp>:/web/root/* /production/web/root/
The pattern is rsync --flags [user#host:]/source/dir [user#host:]/destination/dir
You only need the user#host stuff for remote hosts. The user must have ssh access to the host.
Couple little suggestions.
The command can be run from the source or destination. I find it better to run the command from the destination, for permissions issues (i.e. your reading from the remote and writing to the local)
Do some tests first, I always mix up the directory stuff; do I need the end slash, should I use the star, ...
Read the man page, there are alot of available options that may be helpful (--delete, --exclude, -a)
We are working on a ASP.NET MVC site. I am a dev who is also responsible for prod deployments with other members of the team distributed across the globe.
Today I started working on the web.release.config transformation file for production deployment, and it made me thinking that I really don't want other devs to have access to these files since they contain sensitive production information. But, in VS 2010 these files are placed right next to the dev web.config, so if I check them in, then, the rest of the crew will see them.
Is there a recommended way to use VS2010 to apply transformations to web.config files in such a way that these transformation files don't have to be located with the rest of dev files? Or, do I need to use some kind of automated build tools such as NANT or MS Team Server to do that?
Thanks for your advice.
I typically use the src= tag on the web.config connection file to have a separate file for connection strings for production server that the developers don't have access to to keep it secure. Then in my build process, I grab the webProd.config file from a more secure place and update the server with it.
Maybe i'm totally outdated but for last four years i've been using simple FTP upload feature while uploading new website even without building it within Visual Studio. Just bunch of ASPX and CS files as in Visual Studio.
I do understand that compiling the project will provide me with some security defence so ones who have access to the server won't be able to read those files in text editors and i will avoid first time compilation but is that so important?
I mean, you can always do a lot of harm if you have access to server that just reading CS files instead of DLL.
First time compilation usually takes no more than 1 minute just searching for compiled version of the site will take as much time.
Now i'm watching video on PluralSight which explains new MSDeploy tool available from ASP.NET and i can't see any good reason to use it.
So what's wrong with the old fashioned way of just sending files via FTP without compiling or using fancy tools?
I did speed test and with MSDeploy i can deploy a website twice faster than old-fashioned FTPing. So instead of 4 minutes it will take 2.
Now from another perspective, when i already have alive project on the web. In which have to change Default.aspx because i have typo in some html tag. Deployment via MSDeploy will take 10 times more than uploading one file
Maybe i miss something?
MSDeploy does things which FTPing to a site can't do. Need to change a machine.config? You're unlikely to have FTP write access to the folder which contains it. Want to change a server setting in a server-version-independent manner? FTP won't do that. Etc. FTP works fine for copying files to folders in which you have write access, but that's all it can do.
When you deploy a project you can do a lot of things with it.
You can set up a job in your deploy that packages all your javascript into one file and all your css into one file.
You can set up a job in your deployment that changes a bunch of config settings to match your production server settings (rather then development settings).
The idea of deployment is that you take your current development website and transform it into a production website without having to do any of that manually.
The most important thing is that when you can only deploy your website you will never forget to package your js or forget to remove some debugging code because you can't just sneakly update a single file.
I'm trying to build logviewer for logfiles stored on our server.I know about the logviewers available on codeplex. But I'm looking to build something of my own.
Here's what I need to do first and foremost. The log files are stored on server with address \windows server address\LogFiles. Over here there are various folders with names W3SVC69773105,W3SVC1208646085. Now I can't make head and shoulders of this folder name but each folder represents an application. Inside each folder there are log files for each day.
I need to be able to get the latest file from the server, and then do parsing on it. I want to know how can I access this file located on server programmatically from my local machine.
Insofar as the folder names, it is actually pretty easy to generate them presuming you can access the IIS api. You see, W3CSVC4572 maps to IIS site ID #4572. So, you should have a log folder for each IIS site ID in a rather predictable pattern.
I'll resist my urge to ask why you are in fact reinventing the wheel. Except log parsing is alot less sexy a technology than wheels . . .