Re: ASPNET User Problem in Shared Hosting Environment
From: Ben Miller [MS] (benmi@online.microsoft.com)
Date: 06/27/02
- Next message: Braduceanu Nicolae: "asymetric encryption"
- Previous message: Simon Pallister: "Re: Web service to ruin under a certain NT account"
- In reply to: Ely Lucas: "ASPNET User Problem in Shared Hosting Environment"
- Next in thread: M. Shawn Dillon: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: M. Shawn Dillon: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ben Miller [MS]" <benmi@online.microsoft.com> Date: Wed, 26 Jun 2002 22:32:53 -0600
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/V1securitychanges.asp?frame=true
Watch for URL wrap. This should give you an idea of what this is all about.
Ben Miller
This post is provided "AS IS" and confers no rights or warranties.
"Ely Lucas" <ely@cmconline.com> wrote in message
news:uhhpa6p7u09c2@corp.supernews.com...
> Hello,
>
> I am trying to setup a win2k server that will be used for shared hosting
> services, and am trying to figure out how asp.net is going to be able to
run
> secure on the server.
>
> In the asp days, you would give each website its own IIS_User account to
run
> under, and give that user RWXD permission to it's web root folder. You
would
> remove the Everyone group and also give the admin group full permission on
> the folder. This would keep users who are developing apps that are going
to
> be hosted on that machine from poking around in each others directories
with
> the file scripting object, include files, etc...
>
> With asp.net, it seems like everything is ran under the ASPNET user
account.
> The problem here being, the ASPNET account needs Read permission to every
> site on the server so it can monitor file changes and such for the
> framework.
>
> When a user runs an aspx page, it runs under the ASPNET account that has
> read permissions to everyone elses aspx pages. So anyone can do a <!--
> #Include File="c:\inetpub\site1\allmylovelypasswords.aspx" --> into
someone
> elses directory and get their source code. And that is just the
beginning...
>
> I have messed around the Impersonation, and set the machine.config up as
> follows:
>
> <identity impersonate="true" />
>
> And when this happens, it seems like it is working, because when I do a
>
> Response.write(WindowsIdentity.GetCurrent().Name)
>
> it returns my IIS_User for that particular site that I have setup in the
IIS
> MMC. However, this site is still able to browse through and view any
> resource on the hard drive that the ASPNET user has access to (which,
> remember, has to be all the aspx pages on the entire server, the
> Microsoft.NET folder, and more).
>
> So, I guess what I am wondering is, what is the best practice for setting
up
> asp.net in a shared hosting environment? What are all the big hosts doing
> out there? What does Microsoft have to say about this (there are no docs
at
> all in their web hoster program)?
>
> Thanks,
> Ely
>
>
>
>
- Next message: Braduceanu Nicolae: "asymetric encryption"
- Previous message: Simon Pallister: "Re: Web service to ruin under a certain NT account"
- In reply to: Ely Lucas: "ASPNET User Problem in Shared Hosting Environment"
- Next in thread: M. Shawn Dillon: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: M. Shawn Dillon: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
