Clarification: IUSR access to the ASP.NET temp folder
From: pj_servadmin (pjservadmin_at_discussions.microsoft.com)
Date: 06/13/05
- Next message: hivie: "Length of data to decrypt is invalid Rijndael"
- Previous message: ejswanson: "aspnetwebhosting permission error"
- Next in thread: pj_servadmin: "RE: Clarification: IUSR access to the ASP.NET temp folder"
- Reply: pj_servadmin: "RE: Clarification: IUSR access to the ASP.NET temp folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Jun 2005 10:34:05 -0700
Non-DC, Win 2k3 IIS 6.0 configured accounts. Anonymous User:
domain\IUSR_<appName>, Application Pool User: domain\<appPoolName>
I have used NTFS security auditing to confirm that the domain\IUSR_<appName>
account is attempting access to the \Temporary ASP.NET Files\<appName>
folder, as shown by the event listed at the end of this post. Resulting error
message shown at the end of this post as well.
In a default configuration, Network Service would have been the identity
that ran the application pool and IUSR_<machineName> would have allowed
anonymous access. That folder has NTFS Full access for Network Service, Local
Service, SYSTEM, IIS_WPG, etc. Notably, IUSR_* is absent, but retains NTFS
Read rights by virtue of being part of Domain Users group, which is part of
Local Users group.
So the questions are:
Is that correct that a default configuration would have Network Service
accessing the \Temporary ASP.NET Files\ directory? (not IUSR_<machineName>,
right?)
What are the security implications of giving the IUSR_<appName> account NTFS
full access to the \Temporary ASP.NET Files\ directory?
What is the \Temporary ASP.NET Files\ directory actually used for?
*************************
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/13/2005
Time: 9:58:07 AM
User: DEPT\IUSR_<appName>
Computer: CARPUS
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>
Handle ID: -
Operation ID: {0,12699212}
Process ID: 2016
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: <appPoolName>
Primary Domain: DEPT
Primary Logon ID: (0x0,0x985392)
Client User Name: IUSR_<appName>
Client Domain: DEPT
Client Logon ID: (0x0,0xBF76A2)
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100001
***************************
Server Error in '/<appName>' Application.
--------------------------------------------------------------------------------
Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>\83d3a3b4\56768e79" is denied.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.
Source Error:
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.
Stack Trace:
[UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.]
System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
System.IO.Directory.InternalCreateDirectory(String fullPath, String path)
+632
System.IO.Directory.CreateDirectory(String path) +195
System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext
context) +85
System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext
context) +97
System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation()
+91
System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean
fCreateIfNotFound) +148
System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
System.Web.UI.TemplateParser.GetParserCacheItem() +88
System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String
inputFile, HttpContext context, ApplicationFileParser& parser) +171
System.Web.HttpApplicationFactory.CompileApplication(HttpContext context)
+43
System.Web.HttpApplicationFactory.Init(HttpContext context) +484
System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext
context) +170
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573
- Next message: hivie: "Length of data to decrypt is invalid Rijndael"
- Previous message: ejswanson: "aspnetwebhosting permission error"
- Next in thread: pj_servadmin: "RE: Clarification: IUSR access to the ASP.NET temp folder"
- Reply: pj_servadmin: "RE: Clarification: IUSR access to the ASP.NET temp folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
