Re: How to run aspnet with system account
From: Joseph MCAD (JosephMCAD_at_discussions.microsoft.com)
Date: 04/06/05
- Previous message: Joseph MCAD: "RE: Question regarding in Forms authentication"
- In reply to: Kevin Spencer: "Re: How to run aspnet with system account"
- Next in thread: Gerry Hickman: "Re: How to run aspnet with system account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Apr 2005 08:37:02 -0700
April 6, 2005
I'll repeat what I said in my first post... Sorry for my abruptness! :-)
Joseph MCAD
"Kevin Spencer" wrote:
> Well, darn, Joseph. How lucky we've been, considering the "lack of security"
> on our system. In all the time it's run, we've had no problems, attacks,
> down-time, viruses, trojan horses, or anything else, for several years now.
>
> Thanks for making me feel so lucky!
>
> Of course, there's always the possibility that we ARE security experts, but
> thankfully, you have made us realize that it's all been pure luck. I guess
> I'll just have to take the MCAD course to become one.
>
> --
> ;-),
>
> Kevin Spencer
> Microsoft MVP
> ..Net Developer
> What You Seek Is What You Get.
>
> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
> news:D6157E44-175D-4A25-84EC-FE6D5CE7207E@microsoft.com...
> >
> > April 6, 2005
> >
> > No security expert would ever agree with you + no security expert
> > would
> > say that you are security oriented with that frame of mind and lack of
> > knowledge. Even if you only run your own code on your servers, developers
> > STILL make mistakes! If you had a simple program that connected to your
> > database with the SYSTEM account and it had one bug, the attacker could
> > launch a SQL Injection attack and do everything from, corrupting the
> > registery, stealing data, take files, delete audit logs, release your IP
> > address, knock the server offline, and do damage that could result in not
> > beening able to boot and therefore render the computer unrecoverable
> > without
> > changing physical pieces such as the harddrive. If you don't run web
> > services, I bet you haven't disabled the Documentation protocol either. I
> > also think that you haven't blocked .Net remoting and .rem and .soap
> > requests. I can't even begin to give examples of what my happen. If all
> > of
> > your customer information was taken, then deleted, then audit logs
> > cleared,
> > and then damaged all of your web servers, your company's reputation would
> > be
> > permanently destroyed unless you work for a giganticly gigantic company
> > such
> > as Microsoft. With the way you have been able to run your programs as
> > SYSTEM,
> > I can already believe that you work for a small business and have no
> > security
> > experts on your team. (that is besides maybe yourself) I strongly
> > recommend
> > that you begin to switch back to least privilege........
> >
> >
> > Joseph MCAD
> >
> >
> >
> > "Kevin Spencer" wrote:
> >
> >> Hi Juan,
> >>
> >> Sorry about the poor choice of words. You were correct. It wasn't
> >> "self-contradictory" other than the fact that you started out by
> >> seemingly
> >> agreeing with Joseph, who made a blanket statement. You qualified your
> >> statement, which actually indicated that you only PARTIALLY agreed with
> >> Joseph.
> >>
> >> Blanket statements are almost always incorrect. Note that I didn't make a
> >> blanket statement there! Blanket statements are only useful to lazy
> >> people
> >> or people that don't have the time to research the reality behind them.
> >>
> >> Telling people that you CAN safely run ASP.Net under the System account
> >> under the right circumstances is not likely to get anyone in trouble.
> >> Note
> >> that I didn't RECOMMEND it. If people misunderstand, they aren't
> >> listening
> >> diligently, and are therefore responsible for their own actions.
> >>
> >> I don't like to hide the truth from people in the fear that they will
> >> misunderstand it. Misunderstanding is not truth. It is a lie that someone
> >> tells themself. What I said was perfectly true. What Joseph said was
> >> implerfectly true. What you said was perfectly true.
> >>
> >> The account under which ASP.Net runs is configurable, and includes
> >> "System."
> >> Don't tell me that Microsoft made a mistake, by allowing people to do
> >> something they should NEVER do! ;-)
> >>
> >> --
> >> HTH,
> >>
> >> Kevin Spencer
> >> Microsoft MVP
> >> ..Net Developer
> >> What You Seek Is What You Get.
> >>
> >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
> >> news:uqwwfvqOFHA.3444@tk2msftngp13.phx.gbl...
> >> > re:
> >> >> Hang on a minute guys. This is self-contradictory:
> >> >
> >> > No, it is not.
> >> >
> >> > re:
> >> >> In other words, it is either too dangerous to run it in as the System
> >> >> account, or it is USUALLY too dangerous to run it as the System
> >> >> account.
> >> >> Which one is true?
> >> >
> >> > You're the one making *that* distinction.
> >> >
> >> > What I stated is :
> >> >>> The *only* reason to change the account used for ASP.NET
> >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >> >>> was to be able to run ASP.NET in a less-dangerous security context.
> >> >
> >> > re:
> >> >> The reason I ask is that we run it as System, and have for years. Why?
> >> >> Because it is our servers, and nobody else's.
> >> >
> >> > If you feel comfortable with that, feel free.
> >> >
> >> > But, please, don't issue a recommendation to
> >> > "run ASP.NET under the System account".
> >> >
> >> > That's liable to get a lot of people into trouble.
> >> >
> >> > Getting away from having to use an account with excessive privileges
> >> > is the reason why, first, the ASP.NET account was changed from
> >> > System to ASPNET and then, later, to Network Service, when
> >> > even ASPNET was considered to have too many privileges.
> >> >
> >> > That's almost as bad as running a server logged in as "Administrator".
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Juan T. Llibre
> >> > ASP.NET MVP
> >> > http://asp.net.do/foros/
> >> > Foros de ASP.NET en Español
> >> > Ven, y hablemos de ASP.NET...
> >> > ======================
> >> >
> >> > "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
> >> > news:eHhcKjqOFHA.904@tk2msftngp13.phx.gbl...
> >> >> Hang on a minute guys. This is self-contradictory:
> >> >>
> >> >>>> It is too dangerous to run it as SYSTEM!
> >> >>
> >> >>> The *only* reason to change the account used for ASP.NET
> >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >> >>> was to be able to run ASP.NET in a less-dangerous security context.
> >> >>
> >> >> In other words, it is either too dangerous to run it in as the System
> >> >> account, or it is USUALLY too dangerous to run it as the System
> >> >> account.
> >> >> Which one is true?
> >> >>
> >> >> The reason I ask is that we run it as System, and have for years. Why?
> >> >> Because it is our servers, and nobody else's. We are not a hosting
> >> >> service. And I am in charge of the software that goes on it.
> >> >>
> >> >> Most executable applications run under the System account.
> >> >>
> >> >> --
> >> >> HTH,
> >> >>
> >> >> Kevin Spencer
> >> >> Microsoft MVP
> >> >> .Net Developer
> >> >> What You Seek Is What You Get.
> >> >>
> >> >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
> >> >> news:eyrg$mnOFHA.716@TK2MSFTNGP10.phx.gbl...
> >> >>> re:
> >> >>>>I can't emphasize this enough!
> >> >>>
> >> >>> Neither can I.
> >> >>>
> >> >>> The *only* reason to change the account used for ASP.NET
> >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >> >>> was to be able to run ASP.NET in a less-dangerous security context.
> >> >>>
> >> >>> It's amazing to see that this is being deliberately reverted.
> >> >>>
> >> >>> re:
> >> >>>>Sorry for my abruptness. :-)
> >> >>>
> >> >>> I thought you restrained yourself admirably! :-)
> >> >>>
> >> >>> For developers to deliberately, or maybe unknowingly,
> >> >>> expose themselves to security risks after a product's
> >> >>> security configuration was changed to protect them,
> >> >>> requires a good rap on the knuckles.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> Juan T. Llibre
> >> >>> ASP.NET MVP
> >> >>> http://asp.net.do/foros/
> >> >>> Foros de ASP.NET en Español
> >> >>> Ven, y hablemos de ASP.NET...
> >> >>> ======================
> >> >>>
> >> >>> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
> >> >>> news:3C012C76-527C-4A82-8A27-38B70B4B2851@microsoft.com...
> >> >>>>
> >> >>>> April 5, 2005
> >> >>>>
> >> >>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
> >> >>>> Certified
> >> >>>> Application Developer and one of the topics I happen to be certified
> >> >>>> in
> >> >>>> is
> >> >>>> Web Applications and Security. I am not familiar with ClrProfiler,
> >> >>>> but
> >> >>>> I
> >> >>>> HEAVILY am in doubt that it requires the System. I think that the
> >> >>>> old
> >> >>>> post
> >> >>>> was just doing a "quick fix". I am sure that if you were having
> >> >>>> almost
> >> >>>> any
> >> >>>> problem on your computer, it would be fixed by using the System
> >> >>>> account. For
> >> >>>> this reason, I doubt that the person was really knowing what was
> >> >>>> required. I
> >> >>>> strongly encourage you to research further, or disconnect the
> >> >>>> computer
> >> >>>> from
> >> >>>> the internet and from any intranet whose computers connect to the
> >> >>>> internet.
> >> >>>> Then immediately switch back to ASPNET as soon as you are done. I
> >> >>>> can't
> >> >>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
> >> >>>>
> >> >>>>
> >> >>>> Joseph MCAD
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> "Zeng" wrote:
> >> >>>>
> >> >>>>> Hi,
> >> >>>>>
> >> >>>>> I'm running ClrProfiler for the first time to profile my web app,
> >> >>>>> and
> >> >>>>> it
> >> >>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
> >> >>>>> common
> >> >>>>> language runtime - this is the time to load your test page." even
> >> >>>>> after I
> >> >>>>> launched my app and aspnet_wp.exe is running.
> >> >>>>>
> >> >>>>> Do you know what I need to do to fix it? I also found some old
> >> >>>>> post, a
> >> >>>>> person mentioned that I need to make sure I need to
> >> >>>>> run my aspnet with system account instead. Do you know how to do
> >> >>>>> this
> >> >>>>> account switching?
> >> >>>>>
> >> >>>>> Thanks for your comment and advice.
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >>
>
>
>
- Previous message: Joseph MCAD: "RE: Question regarding in Forms authentication"
- In reply to: Kevin Spencer: "Re: How to run aspnet with system account"
- Next in thread: Gerry Hickman: "Re: How to run aspnet with system account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
