Re: How to run aspnet with system account

From: Kevin Spencer (kevin_at_DIESPAMMERSDIEtakempis.com)
Date: 04/06/05


Date: Wed, 6 Apr 2005 09:59:24 -0400

Hi Juan,

Sorry about the poor choice of words. You were correct. It wasn't
"self-contradictory" other than the fact that you started out by seemingly
agreeing with Joseph, who made a blanket statement. You qualified your
statement, which actually indicated that you only PARTIALLY agreed with
Joseph.

Blanket statements are almost always incorrect. Note that I didn't make a
blanket statement there! Blanket statements are only useful to lazy people
or people that don't have the time to research the reality behind them.

Telling people that you CAN safely run ASP.Net under the System account
under the right circumstances is not likely to get anyone in trouble. Note
that I didn't RECOMMEND it. If people misunderstand, they aren't listening
diligently, and are therefore responsible for their own actions.

I don't like to hide the truth from people in the fear that they will
misunderstand it. Misunderstanding is not truth. It is a lie that someone
tells themself. What I said was perfectly true. What Joseph said was
implerfectly true. What you said was perfectly true.

The account under which ASP.Net runs is configurable, and includes "System."
Don't tell me that Microsoft made a mistake, by allowing people to do
something they should NEVER do! ;-)

-- 
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message 
news:uqwwfvqOFHA.3444@tk2msftngp13.phx.gbl...
> re:
>> Hang on a minute guys. This is self-contradictory:
>
> No, it is not.
>
> re:
>> In other words, it is either too dangerous to run it in as the System 
>> account, or it is USUALLY too dangerous to run it as the System account. 
>> Which one is true?
>
> You're the one making *that* distinction.
>
> What I stated is :
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>
> re:
>> The reason I ask is that we run it as System, and have for years. Why? 
>> Because it is our servers, and nobody else's.
>
> If you feel comfortable with that, feel free.
>
> But, please, don't issue a recommendation to
> "run ASP.NET under the System account".
>
> That's liable to get a lot of people into trouble.
>
> Getting away from having to use an account with excessive privileges
> is the reason why, first, the ASP.NET account was changed from
> System to ASPNET and then, later, to Network Service, when
> even ASPNET was considered to have too many privileges.
>
> That's almost as bad as running a server logged in as "Administrator".
>
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> http://asp.net.do/foros/
> Foros de ASP.NET en Espaņol
> Ven, y hablemos de ASP.NET...
> ======================
>
> "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message 
> news:eHhcKjqOFHA.904@tk2msftngp13.phx.gbl...
>> Hang on a minute guys. This is self-contradictory:
>>
>>>>      It is too dangerous to run it as SYSTEM!
>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>>
>> In other words, it is either too dangerous to run it in as the System 
>> account, or it is USUALLY too dangerous to run it as the System account. 
>> Which one is true?
>>
>> The reason I ask is that we run it as System, and have for years. Why? 
>> Because it is our servers, and nobody else's. We are not a hosting 
>> service. And I am in charge of the software that goes  on it.
>>
>> Most executable applications run under the System account.
>>
>> -- 
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message 
>> news:eyrg$mnOFHA.716@TK2MSFTNGP10.phx.gbl...
>>> re:
>>>>I can't emphasize this enough!
>>>
>>> Neither can I.
>>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>>>
>>> It's amazing to see that this is being deliberately reverted.
>>>
>>> re:
>>>>Sorry for my abruptness. :-)
>>>
>>> I thought you restrained yourself admirably!  :-)
>>>
>>> For developers to deliberately, or maybe unknowingly,
>>> expose themselves to security risks after a product's
>>> security configuration was changed to protect them,
>>> requires a good rap on the knuckles.
>>>
>>>
>>>
>>>
>>> Juan T. Llibre
>>> ASP.NET MVP
>>> http://asp.net.do/foros/
>>> Foros de ASP.NET en Espaņol
>>> Ven, y hablemos de ASP.NET...
>>> ======================
>>>
>>> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message 
>>> news:3C012C76-527C-4A82-8A27-38B70B4B2851@microsoft.com...
>>>>
>>>>   April 5, 2005
>>>>
>>>>      It is too dangerous to run it as SYSTEM! I am a Microsoft 
>>>> Certified
>>>> Application Developer and one of the topics I happen to be certified in 
>>>> is
>>>> Web Applications and Security. I am not familiar with ClrProfiler, but 
>>>> I
>>>> HEAVILY am in doubt that it requires the System. I think that the old 
>>>> post
>>>> was just doing a "quick fix". I am sure that if you were having almost 
>>>> any
>>>> problem on your computer, it would be fixed by using the System 
>>>> account. For
>>>> this reason, I doubt that the person was really knowing what was 
>>>> required. I
>>>> strongly encourage you to research further, or disconnect the computer 
>>>> from
>>>> the internet and from any intranet whose computers connect to the 
>>>> internet.
>>>> Then immediately switch back to ASPNET as soon as you are done. I can't
>>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
>>>>
>>>>
>>>>    Joseph MCAD
>>>>
>>>>
>>>>
>>>> "Zeng" wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm running ClrProfiler for the first time to profile my web app, and 
>>>>> it
>>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start 
>>>>> common
>>>>> language runtime - this is the time to load your test page." even 
>>>>> after I
>>>>> launched my app and aspnet_wp.exe is running.
>>>>>
>>>>> Do you know what I need to do to fix it? I also found some old post, a
>>>>> person mentioned that I need to make sure I need to
>>>>> run my aspnet with system account instead.  Do you know how to do this
>>>>> account switching?
>>>>>
>>>>> Thanks for your comment and advice.
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
> 


Relevant Pages

  • Re: How to run aspnet with system account
    ... The account under which ASP.Net runs is configurable, ... >>> (from SYSTEM to ASPNET, and now to Network Service), ... >>> was to be able to run ASP.NET in a less-dangerous security context. ... >> The reason I ask is that we run it as System, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: The BT Ripoff
    ... later and they confirmed my account was paid. ... there is a *reason* they charge more for other means of payment. ... There is no reason DD is cheaper for them than a bank transfer. ...
    (uk.legal)
  • Re: Hi Play65Official Sheila Baker, I was Play65 user nicknamed SleepWalkerr in November 2006.
    ... I was Play65 user nicknamed SleepWalkerr in November ... Play65 closed my account with some funny reasons. ... I want to write here some laughable mails, received from Mr Paul one ... GE sent me a new reason to close my account. ...
    (rec.games.backgammon)
  • Re: How to run aspnet with system account
    ... The *only* reason to change the account used for ASP.NET ... was to be able to run ASP.NET in a less-dangerous security context. ... > Then immediately switch back to ASPNET as soon as you are done. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to run aspnet with system account
    ... The *only* reason to change the account used for ASP.NET ... was to be able to run ASP.NET in a less-dangerous security context. ... > Then immediately switch back to ASPNET as soon as you are done. ...
    (microsoft.public.dotnet.security)