Setting validationKey at server vs. site vs. app level

3
votes

Our production environment has three load-balanced servers. On each server, there are nine sites in IIS. In each site, there are between 1 and 15 different apps.

To maintain proper encryption/decryption across all three servers, the same validationKey and decryptionKey should be used for the corresponding apps. This can be set at three levels: - Server level in machine.config - Site level in web.config - App level in web.config

There are obviously pros and cons to setting it at each level but I was wondering if anyone can give some concrete reasons to do it at server vs. site vs. app.

In the machineKey Web Farm Deployment Considerations section, there is a blurb

If you want to isolate your application from other applications on the same server, place the in the Web.config file for each application on each server in the farm.

Is the validationKey a big enough threat vector to justify using a different key on ~100 different apps across three servers? I know, I know. How much risk am I willing to take? What industry am I in? What would I want someone to do with my data? etc.

Of course, I suspect that in the end, we will put it at all three levels just to make sure that we cover our bases across the board when new sites or apps are added. But I'm not really looking forward to the regression testing effort.

Thanks, Matt

1
asp.netweb-configmachinekeymachine.config

1 Answers

0
votes

Partially boils down to preference, mostly related to what individuals consider to be "noise" within config files, but storing configuration at either level (appropriately, of course) is functionally the same.

For example, if you have some setting that is shared across all apps on the same server, that could be a good candidate for machine.config, rather than repeating it in every web.config that you may have there.

In my opinion, the place for validation/encryption keys is in web.config files - you do not want to share those across multiple (especially unrelated, from the authentication level) web-apps on the same server (obvious security issue).

Placing same settings at all available levels, "just to make sure", is silly (for the lack of better word). Don't. You'll confuse some maintenance guy in future (when you leave), and extras and "unnecessaries" are often invitations for abuse.