Re: ASP.NET security issue

From: Ed leNoir (EDLENO@safeco.com)
Date: 10/31/02

• Next message: Ed leNoir: "impersonate in global.asax.cs instead of page load"
• Previous message: Ed leNoir: "Re: How to use WindowsPrincipal properly??"
• In reply to: Leo de Ruyter: "Re: ASP.NET security issue"
• Next in thread: Leo de Ruyter: "Re: ASP.NET security issue"
• Reply: Leo de Ruyter: "Re: ASP.NET security issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: EDLENO@safeco.com (Ed leNoir)
Date: 30 Oct 2002 21:23:45 -0800

There's a MS article on the security needed by aspnet on a web server.
 The prior poster mentioned some of the dirs. Get the KB article (I
don't have it in front of me right now) but a search on aspnet and
winnt\temp should find it. It's not a long list of directories, but
they do have to have rights. In your case it may be as you thought
that the account the process is running under can't build the
assemblies either into winnt\assemblies or winnt\microsoft.net, etc.

If you are using impersonation then the impersonating account may also
need access - certainly to the winnt\microsoft.net dirs I know for
certain.

Another common problem with impersonation is if your app needs to
create one time keys in the registry. In this case the app only works
after an admin uses it because then their security is allowed to write
the key. A good example of this problem is a dotnet application that
writes to the event log. It's documented that you have to either (1)
have an admin use the system the first time, or (2) create a key using
a .reg file and include it in your installation.

The aspnet account security settings are known to get broken by
installing some other microsoft products. I've had to uninstall and
reinstall the dotnet framework so the file acls for the aspnet account
would be re-setup.

- Ed

"Leo de Ruyter" <LeoDeRuyter@Hotmail.com> wrote in message news:<aplirs$ln1$1@reader11.wxs.nl>...
> In fact everything works fine if an administrator is FIRST to run the
> ASP.NET application. The problem only exists RIGHT AFTER deployment. The
> administrator has to run the app first in order to let the 'regular user'
> run the app after the administrator has.
>
> Leo.
>
>
> "developer1996" <developer1996@operamail.com> wrote in message
> news:132101c27b6e$c5653b00$3bef2ecf@TKMSFTNGXA10...
> > I ran into this error before. I had to double check all
> > the directories user ASPNET was accessing. Check your
> > file permissions on these directories...
> >
> > Temp
> > WINNT\Microsoft.NET - [ALSO THE CHILD DIRECTORIES].
> > Make sure the user ASPNET has access to these directories.
> >
> > Depending on what your appliction does you may have to
> > give write access.
> >
> >
> > >-----Original Message-----
> > >Hi all,
> > >
> > >After copying an ASP.NET application from a development
> server to a
> > >webserver, the following situations apply to my situation:
> > >
> > >1 - An administrator is able to start the application the
> first time via the
> > >internet. After that, regular users are able to start the
> application via
> > >the internet. Everything works fine.
> > >
> > >2 - If a regular user tries to start the ASP.NET for the
> first time, without
> > >the administrator starting the application before him, a
> familiar security
> > >message appaers: 'Failed start monitoring directory
> changes'.
> > >
> > >So in order to make things work I have to start the
> application(s) as an
> > >administrator first to enable all regular users to start
> the application
> > >afterwards.
> > >
> > >N.B.: IIS is running with basic authentication and with
> ASP.NET-,
> > >administrator- and certain regular user-rights on the
> application directory.
> > >
> > >I assume this has something to do with the fact that a
> regular user is not
> > >able to JIT-compile the ASP.NET appliaction. Is this the
> case and how can it
> > >be solved?
> > >
> > >
> > >Thanks in advance,
> > >Leo de Ruyter.
> > >
> > >
> > >.
> > >

---

• Next message: Ed leNoir: "impersonate in global.asax.cs instead of page load"
• Previous message: Ed leNoir: "Re: How to use WindowsPrincipal properly??"
• In reply to: Leo de Ruyter: "Re: ASP.NET security issue"
• Next in thread: Leo de Ruyter: "Re: ASP.NET security issue"
• Reply: Leo de Ruyter: "Re: ASP.NET security issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ASP.NET security issue ... > There's a MS article on the security needed by aspnet on a web server. ... > have an admin use the system the first time, or create a key using ... >>> Make sure the user ASPNET has access to these directories. ... (microsoft.public.dotnet.framework.aspnet.security) Re: COM Component and Security ... Hi Lior, ... | Subject: Re: COM Component and Security ... | ASPNET user and not my NT user. ... |> information on the thread before impersonation began. ... (microsoft.public.dotnet.framework.aspnet.security) Re: COM Component and Security ... it will affect the way ASPNET functions. ... Implementing Impersonation in an ASP.NET Application ... | Subject: Re: COM Component and Security ... Assuming you're reverting at the right time, ... (microsoft.public.dotnet.framework.aspnet.security) Re: Web Service Security problem ... the server. ... the failed logon attempt was ASPNET. ... >Allowin that account access to lan resources would be a large security risk. ... >> Another possible issue is the ASPNET account on the server. ... (microsoft.public.dotnet.framework.aspnet.webservices) gettnig creasy - security ... most questions are about authentication and security here i see. ... which was able to browse all drives and files on my computer ... ASPNET - nothing was running anymore, ... hours with lockfile tools from ms, with third party tools - no im giving ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)