Re: How to run aspnet with system account

From: Juan T. Llibre (nomailreplies_at_nowhere.com)
Date: 04/07/05 

Date: Thu, 7 Apr 2005 09:35:42 -0400

Aargh!

This thread is getting to be worse than the VB vs. C# thread.

While, certainly, you *can* use system, *recommending* that
it be used might open a can of worms for some poor developer
who won't understand why, all of a sudden, nothing works
because somebody screwed up royally trying out a procedure,
or because the system was hacked, or because the system was
maliciously used by a disgruntled employee.

Since we're getting down to citing Microsoft documents as a bible,
here's another "official doc" :

http://support.microsoft.com/kb/315158/

To work around this problem, use one of the following methods:

1. Create a weak account that has the correct permissions, and then
configure the <processModel> section of the Machine.config file to use
that account.

2. Set the userName attribute to SYSTEM in the <processModel>
section of the Machine.config file.

3. Configure the <processModel> section of the
Machine.config file to use an administrator account.

Note : *Allowing ASP.NET applications to run as SYSTEM or an
administrator account has serious security implications.*

*Therefore, Microsoft recommends that you use the first workaround.*

( Asterisks added by me... )

Granted, that section specifically refers to domain controllers,
because of the inherent danger in opening your domain to a
potential attack, which would net the attacker control over your
whole domain.

In the case of a box which only serves as a web server instead of a
domain controller, you'd only be giving up control over your *web server*
to a hacker, a dumb programmer, or a disgruntled employee.

Lucky you!

;-)

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Espaņol
Ven, y hablemos de ASP.NET...
======================

"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:%23pmeHG3OFHA.3380@TK2MSFTNGP15.phx.gbl...
> The "official docs" eh? Is this an "official doc?"
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;317012
>
> The problem with following instructions without understanding the whys and
> wherefores of those instructions is that, when one encounters an
> "exception" situation, one has only the instructions one has read to rely
> on. It is far better to understand the whys and wherefores that spawned
> those instructions, and the context in which they were given, or you might
> wind up in a church where they don't allow you to wear short sleeves!
>
> --
> ;-),
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> What You Seek Is What You Get.
>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:eRWCojvOFHA.1564@TK2MSFTNGP14.phx.gbl...
>> Hi Kevin,
>>
>>> Well, darn Gerry. Now I feel REALLY lucky! Our server has been world
>>> facing for years. And despite all that, no problems! Not that we don't
>>> get attacked. Just lucky I suppose...
>>
>> That's good news, but in many corporations it would be a sackable
>> offence. It's equivalent to deliberately implementing weak security.
>>
>> Actually, I'm not even sure I understand you. Are you saying your running
>> the ASP.NET worker process as SYSTEM, or something else? If it's the
>> ASP.NET worker process, it does not make any sense to me to run it as
>> SYSTEM. How did you achieve this? Did you use the machine.config file??
>>
>> Here's an extract from the official docs:
>>
>> Do Not Run ASP.NET as SYSTEM
>>
>> Do not use the SYSTEM account to run ASP.NET and do not grant the ASP.NET
>> process account the "Act as part of the operating system" user right.
>> Doing so defeats the principle of least privilege and increases the
>> damage that can be done by an attacker who is able to execute code using
>> the Web application's process security context.
>>
>>
>> --
>> Gerry Hickman (London UK)
>
>

Relevant Pages

  • Re: How to run aspnet with system account
    ... it be used might open a can of worms for some poor developer ... Create a weak account that has the correct permissions, ... Set the userName attribute to SYSTEM in the <processModel> ... Granted, that section specifically refers to domain controllers, ...
    (microsoft.public.dotnet.security)
  • Re: Changing domain user password
    ... editing the processModel section. ... If you have changed the process model account, there is no reason to also ... > DirectoryEntry de = new DirectoryEntry; ... Impersonation may or may not be needed as ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Server Application Unavailable
    ... password supplied in the processModel section of the config file ... directory allow access to the configured account. ... You can find the application pool in the properties of the website and/or virtual directory that contains the site you're trying to get to run. ... Read/write rights in the ASP.NET Temporary Files under the framework directory ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Server Application Unavailable
    ... The configuration is Windows 2000, with .NET 2.0 the default ASP.NET ... password supplied in the processModel section of the config file ... directory allow access to the configured account. ... Read/write rights in the ASP.NET Temporary Files under the framework directory ...
    (microsoft.public.dotnet.framework.aspnet)
  • Server Application Unavailable
    ... I'd actually likely be able to figure this out on my own if the administrator note were correct, but I can't find anything in the event log about the issue either. ... I see nothing about username/password in the processModel Section of that file, ... correctly installed and that the ACLs on the installation ... directory allow access to the configured account. ...
    (microsoft.public.dotnet.framework.aspnet)