.NETGURU
  Search:  
NamespacesDiscussions.NET v1.1Dot Net Guru's BlogIT Certification
ASPNET User Security Issue
Messages   Related Types
This message was discovered on ASPFriends.com 'aspngsec' list.


Ely Lucas
-- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot <Click here to reveal e-mail address> --

-- Moved from [aspngvs] to [aspappsecurity] by Tim Musschoot <Click here to reveal e-mail address> --

Hello,

It seems that when you are running an asp.net app, the security context runs
under the ASPNET user account, not the IUSR_Machinename that is defined in
the IIS MMC.

In a shared hosting environment, this might be dangerous if you give the
ASPNET account RWXD privileges to each users root folder so they can run
.net apps. This would mean that any user that uses asp.net on a shared
hosting machine would have full access to everyone else's folder who uses
asp.net.

So, my first question is, is it possible to specify which users you want the
process to run under in perhaps the web.config file?

My second question is, how would you handle the security for the folder the
aspnet needs access to, such as the c:\winnt\Microsoft .Net folder. If
every user has full access to this folder such as the ASPNET account does,
wouldn't it be possible for each to to see all the assemblies that are
created for the other sites?

Third question, does any of this make sense? Is it accurate?

Thanks,
Ely

*******************************************************
Ely Lucas
Systems Admin
CMC Online Services, Inc.
303-451-0236 ph 303-451-0291 fax
Click here to reveal e-mail address www.cmconline.com
*******************************************************
Reply to this message...
 
    
Brad Kingsley
The web host is should have impersonation enabled for all sites.

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 12:57 PM
Subject: [aspngsec] ASPNET User Security Issue

> -- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot
<Click here to reveal e-mail address> --
[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]
Reply to this message...
 
    
Ely Lucas
what would this achieve in regards to the purposed problem?

-----Original Message-----
From: Brad Kingsley [mailto:Click here to reveal e-mail address]
Sent: Monday, June 24, 2002 11:58 AM
To: aspngsec
Subject: [aspngsec] Re: ASPNET User Security Issue

The web host is should have impersonation enabled for all sites.

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 12:57 PM
Subject: [aspngsec] ASPNET User Security Issue

> -- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot
<Click here to reveal e-mail address> --
[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Brad Kingsley
Impersonation causes ASP.Net for each site to run under the context of the
IUSR account defined in IIS. That addresses your issue of all sites running
as the ASPNET user, right? Or is there another issue that you are concerned
about?

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 1:59 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]
Reply to this message...
 
    
Anil John
I am familiar with how to do this at the application level with web.config:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306158

But can this be done at the machine.config level (and made non-overridable) for separate IUSR_ accounts associated with each unique site on the server?

i.e. www.1.com is running under IUSR_1
www.2.com is running under IURS_2

I would want the aspnet account to impersonate both respectively.

I remember having this conversation on this list some time back, but don't remember the exact resolution we came to..

The additional question would be since the identity of the process that impersonates a a specific user on a thread (in this case aspnet) must have the "Act as part of the operating system" privilege, do you have to change the default privilages associated with the aspnet account to enable this.

Anil

---------- Original Message ----------------------------------
From: "Brad Kingsley" <Click here to reveal e-mail address>
Reply-To: "aspngsec" <Click here to reveal e-mail address>
Date: Mon, 24 Jun 2002 14:41:38 -0400

Impersonation causes ASP.Net for each site to run under the context of the
IUSR account defined in IIS. That addresses your issue of all sites running
as the ASPNET user, right? Or is there another issue that you are concerned
about?

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 1:59 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

--
-- Anil John - http://LearnMobile.net
-- #1 .net Mobile & Wireless Resource
-- Connect with .net - Anytime. Anywhere.
--
Reply to this message...
 
    
Brad Kingsley
[Original message clipped]

I guess you haven't tested this on our servers yet Anil ;-)

Yes, you can configure this setting in the machine.config file. And yes,
that property, and most others I believe, can be locked down so that the
setting can only be adjusted at certain levels (machine level, application
level, etc.).

[Original message clipped]

Well, the actual process doesn't run under the IUSR accounts. Just the code
is executed under those accounts. It is also possible to set the identity of
the aspnet_wp.exe process, but that isn't what I was talking about (and
shouldn't be needed to address the original question).

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Anil John" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 3:54 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

> I am familiar with how to do this at the application level with
web.config:
[Original message clipped]

site on the server?
[Original message clipped]

the "Act as part of the operating system" privilege, do you have to change
the default privilages associated with the aspnet account to enable this.
[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]
Reply to this message...
 
    
Anil John
>I guess you haven't tested this on our servers yet Anil ;-)

Nooooo! Did not want to risk the wrath of K (I could get hit with a flying cookie) :-)

[Original message clipped]

I used the wrong phrasing there.. I meant to ask if in order to have the aspnet account impersonate the IUSR_ account, so that the code is excuted with the privilages of the IUSR_ account, is it necessory to give the aspnet account further rights than the default?

When you do this, do you still need to give NTFS access to the file sytem in the webroot to the aspnet account? I am assuming not.

Anil

--
-- Anil John - http://LearnMobile.net
-- #1 .net Mobile & Wireless Resource
-- Connect with .net - Anytime. Anywhere.
--
Reply to this message...
 
    
Brad Kingsley
----- Original Message -----
[Original message clipped]

No, the default settings are fine.

[Original message clipped]

Actually, the ASPNET user account still needs access because the asp_wp.exe
process needs to monitor for file changes and such.

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

---
[This E-mail scanned for viruses by Declude Virus]
Reply to this message...
 
    
Ely Lucas
In the machine.config file, I set:

<identity impersonate="true" />

do I need to disable the process model via:

<processModel
enable="false"

or is this totally unrelated?

-----Original Message-----
From: Brad Kingsley [mailto:Click here to reveal e-mail address]
Sent: Monday, June 24, 2002 12:42 PM
To: aspngsec
Subject: [aspngsec] Re: ASPNET User Security Issue

Impersonation causes ASP.Net for each site to run under the context of the
IUSR account defined in IIS. That addresses your issue of all sites running
as the ASPNET user, right? Or is there another issue that you are concerned
about?

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 1:59 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Ely Lucas

I guess my problem really is I cannot get asp.net to function unless I give
read access to the ASPNET account to all the aspx pages and such, and if I
do that, anyone using asp.net can simply <!-- Include
file="c:\inetpub\usersite\index.aspx" --> into any one elses directory and
successfully get the source code. This happens if I set <identity
impersonate="true" /> or <identity impersonate="false" /> in machine.config.

When I set <identity impersonate="true" /> and do a
Response.write(WindowsIdentity.GetCurrent().Name) I can see that it is
actually using the account I setup in IIS for authentication, but it seems
as if it is still using the ASPNET account for everything relating to dot
net.

-----Original Message-----
From: Brad Kingsley [mailto:Click here to reveal e-mail address]
Sent: Monday, June 24, 2002 2:38 PM
To: aspngsec
Subject: [aspngsec] Re: ASPNET User Security Issue

----- Original Message -----
[Original message clipped]

No, the default settings are fine.

[Original message clipped]

Actually, the ASPNET user account still needs access because the asp_wp.exe
process needs to monitor for file changes and such.

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

---
[This E-mail scanned for viruses by Declude Virus]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Brad Kingsley
Do you have each site running as a different IUSR account?

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 6:08 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]
Reply to this message...
 
    
Ely Lucas
Yes, each site runs under its own account specified in IIS MMC. This
account has RWXD permissions on the webroot folder. The Domain Admin
Account and System account also have RWXD permissions. The ASPNET account
only has read permission.

Besides the ASPNET user, this is how I currently setup all my sites for
shared hosting, and works under regular asp just fine with no security
problems as the such.

-----Original Message-----
From: Brad Kingsley [mailto:Click here to reveal e-mail address]
Sent: Monday, June 24, 2002 5:14 PM
To: aspngsec
Subject: [aspngsec] Re: ASPNET User Security Issue

Do you have each site running as a different IUSR account?

~Brad Kingsley
Microsoft MVP - ASP
Windows 2000 MCSE

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

----- Original Message -----
From: "Ely Lucas" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Monday, June 24, 2002 6:08 PM
Subject: [aspngsec] Re: ASPNET User Security Issue

[Original message clipped]

---
[This E-mail scanned for viruses by Declude Virus]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
 
System.Security.Principal.WindowsIdentity




ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
Ad


Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews
.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT
Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project
FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.
Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials
 
ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
 Copyright © ExamGuru, Inc. 2001-2006
Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification