fatal security problem

From: Mike Schwarz (ctek@ctek.ch)
Date: 10/10/02

From: "Mike Schwarz" <ctek@ctek.ch>
Date: Thu, 10 Oct 2002 20:00:12 +0200

i have framwork and sp2 installed
win2000 , ii5, sp3
domain controller

i changed the user in config file process modell to user aspnet
with appropriate password
aspnet user is member of usergroup 'domain user' like the IUSR_machine

i have now a script which is able to browser all my web!
as aspnet user needs read/write permission to certain system folders, i can
even browse through this folders and open ASP files, which are not executed
but shown as code! so conx.asp files of databases are fully readable

how can i prevent anonymous users like aspnet and IUSR from browsing files
out of his wwwroot ?

thank you

Relevant Pages

  • Re: read and write file from network drive (NAS)
    ... > I have tried to allow full control of ASPNET user in the NAS and put ASPNET ... the domain controller. ... Free web hosting with ASP.NET & SQL Server ...
  • ASP. NET on Windows 2003 DC.
    ... Are there any problems running ASP.NET pages on a Windows ... 2003 domain controller; as there are on windows 2000 ... the ASPNET user seems to be ...