Re: ASPNET User Problem in Shared Hosting Environment

From: Arild Bakken (arildb_@hotmail.com)
Date: 07/29/02 

From: "Arild Bakken" <arildb_@hotmail.com>
Date: Mon, 29 Jul 2002 14:06:10 +0200

NTSF security as follows:

ParentFolder (the folder one level above application folder)
  aspnet: List Folder / Read Data with enable inherit (use adv. view)
  customeruser: List Folder / Read Data with enable inherit (use adv. view)

Appfolder (the folder where the application resides)
  customeruser: List Folder Contents & Read (use normal view)

Web.Config in Appfolder
  aspnet: Read (use normal view)

This way, if the customer tries to revert the impersonation it won't have
access to read datafiles etc the folders (like textfiles, access databases
other customer's files). They may still read the Web.Config file which may
contain application settings with things like connectionstrings, but if
these are encrypted or stored in other files then there's little harm.

And speaking of horrible setups, I've seen hosting companies on the "old"
ASP platform that don't event create a separate IUSR account for their
hosted customers.

Arild

"Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message
news:bf7d325e.0207290317.76c49b68@posting.google.com...
> Sounds good - I think it would be possible to lock things down enough
> to bring risks within acceptable limits under the kind of controlled
> conditions you're talking about. I'd be interested to hear exactly
> what you've done with the ASPNET user's privileges & permissions.
>
> I'm more concerned about the generic hosting companies. I've seen some
> pretty serious business sites beginning to bubble up on shared hosting
> services, and I don't imagine most of their owners understand how
> vulnerable their content is. Some of the big hosting companies
> *certainly* don't (poke around a bit, and you'll find their laxity
> hair-raising). What bothers me is that if no-one tackles this very
> soon, a big scandal will hit, and damage the image of ASP.NET as a
> secure web application platform in the eyes of business. As a .NET
> developer, that's the last thing I want to see.
>
> "Arild Bakken" <arildb_@hotmail.com> wrote in message
news:<#Gcx0UjNCHA.2368@tkmsftngp10>...
> > Hi,
> >
> > I really didn't doubt it, it just slipped my mind that it was just the
> > thread that was impersonated. I just did a test on this - everthing
works
> > fine when setting proper security and enabling impersonation, but if my
code
> > just issues a RevertToSelf(), it's running as the ASPNET account again.
> >
> > I've been able to strip down the rights allocated to the ASPNET account
on
> > the system so that it cannot access other customers' files, but it still
> > needs read access on the Web.Config file, and that still poses a
security
> > issue. I'm sure if I dig even deeper there are more issues with the fact
> > that it's just impersonation and not a separate process.
> >
> > But then again, the customers we are hosting are not allowed to add
stuff
> > themselves to the server, and all updates and fixes are run through our
> > test-team before we deploy it to the servers, so if we just make sure
that
> > they do all kinds of security tests, and also check for imports of
external
> > dll methods, we might still be able to use this.
> >
> > Thanks for the input.
> >
> >
> > Arild
> >

Relevant Pages

  • Re: ASPNET Account Name does not exist
    ... but rather is referenced in the Security tab of the resources ... If the .NET web application on Windows 2003 Server needs to access a folder ... Scroll down until you find "NETWORK SERVICE" ... >> I don't know if ASPNET should be created manually now, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: folder security
    ... You can set the security of the folder in Windows Explorer. ... It says ASPNET account does not have write access ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Combing Multiple User Contact Folders into One Shared Folder.
    ... There is only going to be data entry on individual machines, ... Duplicate entries in the combined folder are not an issue for what we're ... same customers as they work together on larger deals. ... "This centralized Outlook folder would also be used on an ongoing basis, ...
    (microsoft.public.outlook.contacts)
  • Re: Office 2007 Final setup issue
    ... IT Network & System Manager ... customers before it went live on TechNet or MSDN. ... But I have the install source here 100% sure of what I say ... ... I check the proposed folder but it seems ...
    (microsoft.public.office.setup)
  • Re: Combing Multiple User Contact Folders into One Shared Folder.
    ... "This centralized Outlook folder would also be used on an ongoing basis, ... meaning as the users add new customers to their individual Outlook contacts, ... both allow for updating of "existing" info with filter capability to target ...
    (microsoft.public.outlook.contacts)