A colleague raised an interesting security ‘gotcha’ related to web.config files last week. Apparently this particular gem was raised at a recent Microsoft conference in London Village and there was a collective ‘gasp’ from the audience as a roomfull of developers realised that at some point they’d probably left at least one of their web applications open to the world’s easiest hack.
In a nutshell, never rename your web.config files to web.config.old, or web.config.bak etc. Unless you’ve explicitly prohibited access to files with this extension, IIS will quite happily serve these files up as readily as it would .html or .jpg files, potentially leaving all the database connection strings, server addresses and other goodies you put in your config files unprotected. Apparently hackers are already well onto this one, and have developed bots to scour sites looking for these renamed files. You have been warned!