Re: How to run aspnet with system account

From: Joseph MCAD (JosephMCAD_at_discussions.microsoft.com)
Date: 04/06/05

  • Next message: Derek Knudsen: "RE: Rijndael decryption succeeds SOMETIMES"
    Date: Wed, 6 Apr 2005 08:37:02 -0700
    
    

      April 6, 2005

        I'll repeat what I said in my first post... Sorry for my abruptness! :-)

                                                                                 
                 Joseph MCAD

    "Kevin Spencer" wrote:

    > Well, darn, Joseph. How lucky we've been, considering the "lack of security"
    > on our system. In all the time it's run, we've had no problems, attacks,
    > down-time, viruses, trojan horses, or anything else, for several years now.
    >
    > Thanks for making me feel so lucky!
    >
    > Of course, there's always the possibility that we ARE security experts, but
    > thankfully, you have made us realize that it's all been pure luck. I guess
    > I'll just have to take the MCAD course to become one.
    >
    > --
    > ;-),
    >
    > Kevin Spencer
    > Microsoft MVP
    > ..Net Developer
    > What You Seek Is What You Get.
    >
    > "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
    > news:D6157E44-175D-4A25-84EC-FE6D5CE7207E@microsoft.com...
    > >
    > > April 6, 2005
    > >
    > > No security expert would ever agree with you + no security expert
    > > would
    > > say that you are security oriented with that frame of mind and lack of
    > > knowledge. Even if you only run your own code on your servers, developers
    > > STILL make mistakes! If you had a simple program that connected to your
    > > database with the SYSTEM account and it had one bug, the attacker could
    > > launch a SQL Injection attack and do everything from, corrupting the
    > > registery, stealing data, take files, delete audit logs, release your IP
    > > address, knock the server offline, and do damage that could result in not
    > > beening able to boot and therefore render the computer unrecoverable
    > > without
    > > changing physical pieces such as the harddrive. If you don't run web
    > > services, I bet you haven't disabled the Documentation protocol either. I
    > > also think that you haven't blocked .Net remoting and .rem and .soap
    > > requests. I can't even begin to give examples of what my happen. If all
    > > of
    > > your customer information was taken, then deleted, then audit logs
    > > cleared,
    > > and then damaged all of your web servers, your company's reputation would
    > > be
    > > permanently destroyed unless you work for a giganticly gigantic company
    > > such
    > > as Microsoft. With the way you have been able to run your programs as
    > > SYSTEM,
    > > I can already believe that you work for a small business and have no
    > > security
    > > experts on your team. (that is besides maybe yourself) I strongly
    > > recommend
    > > that you begin to switch back to least privilege........
    > >
    > >
    > > Joseph MCAD
    > >
    > >
    > >
    > > "Kevin Spencer" wrote:
    > >
    > >> Hi Juan,
    > >>
    > >> Sorry about the poor choice of words. You were correct. It wasn't
    > >> "self-contradictory" other than the fact that you started out by
    > >> seemingly
    > >> agreeing with Joseph, who made a blanket statement. You qualified your
    > >> statement, which actually indicated that you only PARTIALLY agreed with
    > >> Joseph.
    > >>
    > >> Blanket statements are almost always incorrect. Note that I didn't make a
    > >> blanket statement there! Blanket statements are only useful to lazy
    > >> people
    > >> or people that don't have the time to research the reality behind them.
    > >>
    > >> Telling people that you CAN safely run ASP.Net under the System account
    > >> under the right circumstances is not likely to get anyone in trouble.
    > >> Note
    > >> that I didn't RECOMMEND it. If people misunderstand, they aren't
    > >> listening
    > >> diligently, and are therefore responsible for their own actions.
    > >>
    > >> I don't like to hide the truth from people in the fear that they will
    > >> misunderstand it. Misunderstanding is not truth. It is a lie that someone
    > >> tells themself. What I said was perfectly true. What Joseph said was
    > >> implerfectly true. What you said was perfectly true.
    > >>
    > >> The account under which ASP.Net runs is configurable, and includes
    > >> "System."
    > >> Don't tell me that Microsoft made a mistake, by allowing people to do
    > >> something they should NEVER do! ;-)
    > >>
    > >> --
    > >> HTH,
    > >>
    > >> Kevin Spencer
    > >> Microsoft MVP
    > >> ..Net Developer
    > >> What You Seek Is What You Get.
    > >>
    > >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
    > >> news:uqwwfvqOFHA.3444@tk2msftngp13.phx.gbl...
    > >> > re:
    > >> >> Hang on a minute guys. This is self-contradictory:
    > >> >
    > >> > No, it is not.
    > >> >
    > >> > re:
    > >> >> In other words, it is either too dangerous to run it in as the System
    > >> >> account, or it is USUALLY too dangerous to run it as the System
    > >> >> account.
    > >> >> Which one is true?
    > >> >
    > >> > You're the one making *that* distinction.
    > >> >
    > >> > What I stated is :
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >
    > >> > re:
    > >> >> The reason I ask is that we run it as System, and have for years. Why?
    > >> >> Because it is our servers, and nobody else's.
    > >> >
    > >> > If you feel comfortable with that, feel free.
    > >> >
    > >> > But, please, don't issue a recommendation to
    > >> > "run ASP.NET under the System account".
    > >> >
    > >> > That's liable to get a lot of people into trouble.
    > >> >
    > >> > Getting away from having to use an account with excessive privileges
    > >> > is the reason why, first, the ASP.NET account was changed from
    > >> > System to ASPNET and then, later, to Network Service, when
    > >> > even ASPNET was considered to have too many privileges.
    > >> >
    > >> > That's almost as bad as running a server logged in as "Administrator".
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > Juan T. Llibre
    > >> > ASP.NET MVP
    > >> > http://asp.net.do/foros/
    > >> > Foros de ASP.NET en Español
    > >> > Ven, y hablemos de ASP.NET...
    > >> > ======================
    > >> >
    > >> > "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
    > >> > news:eHhcKjqOFHA.904@tk2msftngp13.phx.gbl...
    > >> >> Hang on a minute guys. This is self-contradictory:
    > >> >>
    > >> >>>> It is too dangerous to run it as SYSTEM!
    > >> >>
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >>
    > >> >> In other words, it is either too dangerous to run it in as the System
    > >> >> account, or it is USUALLY too dangerous to run it as the System
    > >> >> account.
    > >> >> Which one is true?
    > >> >>
    > >> >> The reason I ask is that we run it as System, and have for years. Why?
    > >> >> Because it is our servers, and nobody else's. We are not a hosting
    > >> >> service. And I am in charge of the software that goes on it.
    > >> >>
    > >> >> Most executable applications run under the System account.
    > >> >>
    > >> >> --
    > >> >> HTH,
    > >> >>
    > >> >> Kevin Spencer
    > >> >> Microsoft MVP
    > >> >> .Net Developer
    > >> >> What You Seek Is What You Get.
    > >> >>
    > >> >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
    > >> >> news:eyrg$mnOFHA.716@TK2MSFTNGP10.phx.gbl...
    > >> >>> re:
    > >> >>>>I can't emphasize this enough!
    > >> >>>
    > >> >>> Neither can I.
    > >> >>>
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >>>
    > >> >>> It's amazing to see that this is being deliberately reverted.
    > >> >>>
    > >> >>> re:
    > >> >>>>Sorry for my abruptness. :-)
    > >> >>>
    > >> >>> I thought you restrained yourself admirably! :-)
    > >> >>>
    > >> >>> For developers to deliberately, or maybe unknowingly,
    > >> >>> expose themselves to security risks after a product's
    > >> >>> security configuration was changed to protect them,
    > >> >>> requires a good rap on the knuckles.
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>> Juan T. Llibre
    > >> >>> ASP.NET MVP
    > >> >>> http://asp.net.do/foros/
    > >> >>> Foros de ASP.NET en Español
    > >> >>> Ven, y hablemos de ASP.NET...
    > >> >>> ======================
    > >> >>>
    > >> >>> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
    > >> >>> news:3C012C76-527C-4A82-8A27-38B70B4B2851@microsoft.com...
    > >> >>>>
    > >> >>>> April 5, 2005
    > >> >>>>
    > >> >>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
    > >> >>>> Certified
    > >> >>>> Application Developer and one of the topics I happen to be certified
    > >> >>>> in
    > >> >>>> is
    > >> >>>> Web Applications and Security. I am not familiar with ClrProfiler,
    > >> >>>> but
    > >> >>>> I
    > >> >>>> HEAVILY am in doubt that it requires the System. I think that the
    > >> >>>> old
    > >> >>>> post
    > >> >>>> was just doing a "quick fix". I am sure that if you were having
    > >> >>>> almost
    > >> >>>> any
    > >> >>>> problem on your computer, it would be fixed by using the System
    > >> >>>> account. For
    > >> >>>> this reason, I doubt that the person was really knowing what was
    > >> >>>> required. I
    > >> >>>> strongly encourage you to research further, or disconnect the
    > >> >>>> computer
    > >> >>>> from
    > >> >>>> the internet and from any intranet whose computers connect to the
    > >> >>>> internet.
    > >> >>>> Then immediately switch back to ASPNET as soon as you are done. I
    > >> >>>> can't
    > >> >>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
    > >> >>>>
    > >> >>>>
    > >> >>>> Joseph MCAD
    > >> >>>>
    > >> >>>>
    > >> >>>>
    > >> >>>> "Zeng" wrote:
    > >> >>>>
    > >> >>>>> Hi,
    > >> >>>>>
    > >> >>>>> I'm running ClrProfiler for the first time to profile my web app,
    > >> >>>>> and
    > >> >>>>> it
    > >> >>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
    > >> >>>>> common
    > >> >>>>> language runtime - this is the time to load your test page." even
    > >> >>>>> after I
    > >> >>>>> launched my app and aspnet_wp.exe is running.
    > >> >>>>>
    > >> >>>>> Do you know what I need to do to fix it? I also found some old
    > >> >>>>> post, a
    > >> >>>>> person mentioned that I need to make sure I need to
    > >> >>>>> run my aspnet with system account instead. Do you know how to do
    > >> >>>>> this
    > >> >>>>> account switching?
    > >> >>>>>
    > >> >>>>> Thanks for your comment and advice.
    > >> >>>>>
    > >> >>>>>
    > >> >>>>>
    > >> >>>
    > >> >>>
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >>
    >
    >
    >


  • Next message: Derek Knudsen: "RE: Rijndael decryption succeeds SOMETIMES"