Hi All,
I've searched through the forums to try and get an answer to this but so far no joy. I'm probably missing something really obvious.
Anyway - is there any way to encrypt the above password setting in the config.php file? At the moment its displayed in plain text which maybe is a bit of a security risk? Or am I being paranoid?
Cheers!
In reply to Ceri Richards
Re: Windows server: Encrpyting CFG->dbpass in config.php file
by Ken Wilson -
Hi Ceri
As most security experts would argue that paranoia is the best form of security
, this looks like a good idea, but then you would need to have a way of encrypting the password and decrypting it in the code. $CFG->dbpass is used in admin/health.php, admin/utfdbmigrate.php, install.php and lib/setup.php. MD5 hashing comes to mind.
Given that the password is stored in config.php, anyone who had access to this file could also reverse-hash the password. I suppose that this is the same as someone having access to the SAM database on the windows server.
Logically, then, as long as the config.php file is secured (which it always should be if you keep up-to-date with your server security updates and have the correct NTFS permissions) the source of any compromise can be stopped at the source. Take at look at the security docs for more details of how to secure the server - but one "lets lock the doors" strategy is do not allow the server to go out to the Internet (so stopping the possibility of a listener being installed - which is the standard way of compromising a system), except to know sites such as windows updates.
Hope this helps!
Ken