5 October 2007
While trying to visit a baseball web site, I saw this:
Now, I don't blame the server for being unhappy, since I was trying to look at the score of a Mets game, but let's look at it more closely.
Why does a config file have a login name and password? It turns out that that's a documented feature — or rather, misfeature — of .NET. Some part of the server needs to invoke another subsystem with different privileges; this is a documented and often-recommended way of doing it. It's dubious, from a security perspective, but in many cases it's necessary. More precisely, it's often necessary to store credentials in some file — but why in a configuration file? Why not let the the configuration file — a file about which you may want to display diagnostic messages — simply point to another file that contains nothing but the password? (I should add that 'sportsrus' is a very bad password…)
Beyond that, why is the account that's being invoked Administrator? That's the all-powerful, privileged account on Windows systems. The principle of least privilege says that applications should run with as few privileges as possible. Is it really necessary to gain all privileges here? Why?
Finally, why is the detailed error message being displayed to users? There's nothing I can do with the information. Certainly, write it to the log file. Probably, tell the user there's a system error. But the details are useful to end users if and only if they're official system testers. That should have been disabled on a production system.