RE: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller
From: Holly Mazerolle (hollymamsft_at_online.microsoft.com)
Date: 01/19/04
- Previous message: dsh: ""Could not find a part of the path… " error on IIS 6.0"
- In reply to: Bill Kellaway: "FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Next in thread: Bill Kellaway: "Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Reply: Bill Kellaway: "Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Jan 2004 15:40:27 GMT
Basically, this is not recommended because it will make your system
vulnerable. By running the process as the System account this basically
means that if anyone were able to get control of this process they would
have all of the priviledges that SYSTEM would have on the server and as you
know it has many.
My suggestion would be to Create a weak account that has the correct
permissions, and then
configure the <processModel> section of the Machine.config file to use
that account.
Here are some simple steps you can follow to grant NTFS permissions.
Keep in mind that if you are running the 1.0 framework you will need to
replace v1.1.4322 with v1.0.3705
1. Create the domain user and grant it "Log on as a Service", "Log on as a
Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
2. Add domain user to the local Users Group
3. Grant domain user read access to C:\Winnt\microsoft.net
4. Grant domain user Full Control to C:\WINNT\TEMP
5. Grant domain user Full Control to
C:\winnt\Microsoft.Net\framework\v1.1.4322\Temporary Asp.Net files
6. Grant domain user Read access
toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
7. Ensure domain user has Read access
toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\config
8. Ensure domain user has Read access to C:\Winnt\Assembly
Note: You should use the following command to add permissions to this
folder because it is a special folder and does not have a security tab
cacls c:\winnt\assembly /e /t /p domain\useraccount:R
9. Modify the
c:\winnt\microsoft.net\framework\v1.1.4322\config\machine.config under
<processModel> change these lines to read
Username="domain\user"
Password="password"
10. Restart IIS for the machine.config changes to take effect
You can use the following command to enforce the policy changes without a
reboot:
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
This posting is provided "AS IS" with no warranties, and confers no rights.
Holly
- Previous message: dsh: ""Could not find a part of the path… " error on IIS 6.0"
- In reply to: Bill Kellaway: "FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Next in thread: Bill Kellaway: "Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Reply: Bill Kellaway: "Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
