gettnig creasy - security

From: Mike Schwarz (ctek@ctek.ch)
Date: 10/09/02 

From: "Mike Schwarz" <ctek@ctek.ch>
Date: Wed, 9 Oct 2002 13:56:17 +0200

okey, most questions are about authentication and security here i see. i
didnt found my problem and i hope anybody can help me

win2000 server, setup as DC
asp framework, sp2 installed

all was running fine, until a user was sending me a little aspx script,
which was able to browse all drives and files on my computer

i had aspnet user entered in machine.config with password and gave him batch
file rights as discussed in many forums.
but i had no luck to prevent him to browse some of the directories like
winnt\microsoft.net and subdirectories or for example winnt\temp. it seems,
that those directories must even have write permission for databases (jet).

so i did the most bad thing: i took every right on drive C for IUSR and
ASPNET - nothing was running anymore, event log full of errors

so, i deinstalled aspnet, beginning from the scratch - and i was wondering,
which files and folders and which users must have which rights ???? at the
moment, i have lots of errors like MSIInstaller could not start instance
XXXX. so, i added SYSTEM user to machine.config
no its even worse then befor. the script can take control over my whole
machine!!

im getting really creasy here with this security issues. does any body has a
list of security for the users IUSR, IWAM and ASPNET ?
which permissions i have to grant / disable, so everything with ASP, ASPNET
and Databases is running fine but user cant access my drives anymore with
File.System.Objects, so highest possible security ????

sorry for the long text. im not a beginner. i tried everything for more than
8 hours with lockfile tools from ms, with third party tools - no im giving
up !!

thank you for any help on this

mike

Relevant Pages

  • Re: gettnig creasy - security
    ... most questions are about authentication and security here i see. ... > which was able to browse all drives and files on my computer ... > i had aspnet user entered in machine.config with password and gave him ... > 8 hours with lockfile tools from ms, with third party tools - no im giving ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: COM Component and Security
    ... Hi Lior, ... | Subject: Re: COM Component and Security ... | ASPNET user and not my NT user. ... |> information on the thread before impersonation began. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: COM Component and Security
    ... it will affect the way ASPNET functions. ... Implementing Impersonation in an ASP.NET Application ... | Subject: Re: COM Component and Security ... Assuming you're reverting at the right time, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web Service Security problem
    ... the server. ... the failed logon attempt was ASPNET. ... >Allowin that account access to lan resources would be a large security risk. ... >> Another possible issue is the ASPNET account on the server. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: ASP.NET security issue
    ... There's a MS article on the security needed by aspnet on a web server. ... have an admin use the system the first time, or create a key using ... > administrator has to run the app first in order to let the 'regular user' ...
    (microsoft.public.dotnet.framework.aspnet.security)