RE: Hosting multiple sites/ASP.NET security

From: Wyant, Wade (wwyant@itsbreakwater.com)
Date: 09/19/02 

Date: Thu, 19 Sep 2002 14:34:10 -0400
From: "Wyant, Wade" <wwyant@itsbreakwater.com>
To: "Rado Stoyanov" <radostoyanov@softhome.net>, <focus-ms@securityfocus.com>

I spent several months on a Microsoft project that used ASP.NET to
develop a new ecommerce web site. This was one of the many problems we
ran into with ASP.NET. It gets worse when you try to use it on a domain
level (the ASP.NET account), not just a single machine. Anyway, the bad
news is, I worked with many of the Microsoft Developers that worked on
ASP.NET, and we could not find a reasonable way of handling many of the
problems we found with this account. The only good solution I received
was that it would be worked out in the next rev. I know this doesn't
help, but it gives you an idea that you are only scratching the surface
of the problems with the ASP.NET anonymous web user account, good luck!

Wade

Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Rado Stoyanov [mailto:radostoyanov@softhome.net]
Sent: Thursday, September 19, 2002 8:56 AM
To: focus-ms@securityfocus.com
Subject: Hosting multiple sites/ASP.NET security

Hello,

I host several web sites that I own on a single web server (Windows
2000). It's possible to choose a separate Anonymous web user account for
each of the sites in IIS 5, and ASP applications run in the context of
own anonymous users. This is wise, because each of the anon users is
permitted to access only corresponding web site's directories, and not
other web site's directories.

Unfortunately, when I am migrating to ASP.NET, I have faced the problem
that there's a single account called ASPNET and all web applications run
under this account, no matter of which is the current IIS web's
anonymous user.

My question is: is there any method to achieve the same with ASP.NET, or
are there any alternative considerations that can be taken, in order to
have a secure multi-hosting environment.

Thanks,
Rado

Relevant Pages

  • Re: IE Explorer 6.0 Locking Up On A Web Page Account
    ... "nass" wrote: ... on a web page, the account is not a secure https web site, but just a ... The thing is that if you go to this web site and browse through the ... regsvr32 urlmon.dll ...
    (microsoft.public.windowsxp.general)
  • Re: IE Explorer 6.0 Locking Up On A Web Page Account
    ... on a web page, the account is not a secure https web site, but just a ... The thing is that if you go to this web site and browse through the ... Checked out the IE settings, which are set to default settings. ... regsvr32 urlmon.dll ...
    (microsoft.public.windowsxp.general)
  • Re: Manually Created Web Site Does Not Work - What am I Missing?
    ... For each different Web site ... have the same name or folder structure as my VS project. ... The ASP.NET Dev Server runs as the Administrator account in VS 2008. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Management Point not available
    ... > configured the Default Web Site within IIS 6 to use port 8080. ... Manually restart the SMS Agent Host service on the MP. ... MP encountered an error when connecting to SQL Server. ... If using a standard SQL security account, ...
    (microsoft.public.sms.admin)
  • Re: IIS 6 & UNC Share Scurity Issue
    ... If we assign a domain account to the "Network Directory Security ... Contact the Web site administrator if you believe you should be able to ...
    (microsoft.public.inetserver.iis.security)