OdeToCode IC Logo

What's Wrong With This Code? (#7)

Tuesday, October 10, 2006

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

  <location path="adminPages">
        <allow roles=
"BUILTIN\Administrators" />
        <deny users=
"?" />

Should Joe be worried?