Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

From: Bill Kellaway (billkellaway_at_hotmail.com)
Date: 01/20/04 

Date: 19 Jan 2004 22:34:25 -0800

hollymamsft@online.microsoft.com (Holly Mazerolle) wrote in message news:<7br6SKq3DHA.2996@cpmsftngxa07.phx.gbl>...
> Basically, this is not recommended because it will make your system
> vulnerable. By running the process as the System account this basically
> means that if anyone were able to get control of this process they would
> have all of the priviledges that SYSTEM would have on the server and as you
> know it has many.
>
> My suggestion would be to Create a weak account that has the correct
> permissions, and then
> configure the <processModel> section of the Machine.config file to use
> that account.
>
> Here are some simple steps you can follow to grant NTFS permissions.
> Keep in mind that if you are running the 1.0 framework you will need to
> replace v1.1.4322 with v1.0.3705
>
> 1. Create the domain user and grant it "Log on as a Service", "Log on as a
> Batch Job", "Deny Logon Locally", ?Access this Computer from the Network?
> 2. Add domain user to the local Users Group
> 3. Grant domain user read access to C:\Winnt\microsoft.net
> 4. Grant domain user Full Control to C:\WINNT\TEMP
> 5. Grant domain user Full Control to
> C:\winnt\Microsoft.Net\framework\v1.1.4322\Temporary Asp.Net files
> 6. Grant domain user Read access
> toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
> 7. Ensure domain user has Read access
> toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\config
> 8. Ensure domain user has Read access to C:\Winnt\Assembly
> Note: You should use the following command to add permissions to this
> folder because it is a special folder and does not have a security tab
> cacls c:\winnt\assembly /e /t /p domain\useraccount:R
>
> 9. Modify the
> c:\winnt\microsoft.net\framework\v1.1.4322\config\machine.config under
> <processModel> change these lines to read
> Username="domain\user"
> Password="password"
> 10. Restart IIS for the machine.config changes to take effect
>
> You can use the following command to enforce the policy changes without a
> reboot:
> SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> Holly

Thank you Holly ! It worked perfectly. One question - it's my
understanding that the machine.config file is XML. Therefore is the
"domain\user" case sensitive ???

Thanks again .. Yippee !!!!!

Relevant Pages

  • Re: ADAM SP1 on Win2K3 SP1
    ... Assuming SSL on ADAM is working fine and i want to use antoher domain user account as the ADAM service account. ... Do i only need to grant that account READ permission to machine keys and use dsdbutil to change the ADAM service account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Workaround for 0x8007045A (!)
    ... works if you log on to the administrator account of a workstation attached to ... in a fit of social conscience that might help other WU5 ... domain account under previous versions of SBS were now missing. ... on as domain user and WU5 doesn't work. ...
    (microsoft.public.windowsupdate)
  • Re: ADMTv2 questions
    ... > account to another one. ... > resourses which only the source domain user has permission. ... > The content of SID mapping file should be like below. ... The ACEs for the OLDDOMAIN domain will be preserved. ...
    (microsoft.public.windows.server.migration)
  • Re: Enable software to work in Domain user account.
    ... Enable software to work in Domain user account. ... No problem in administrator account ... I'm not sure how you got Office 2003 in there as working, because that needs admin privileges on the first run of each program. ...
    (microsoft.public.windows.server.sbs)
  • Re: Can domain user log on a local computer?
    ... Adding a domain user to a local group gives the domain account the the same ... PERMISSIONS that a local user who was also a member of that group has. ...
    (microsoft.public.cert.exam.mcse)