Re: How to run aspnet with system account

From: Joseph MCAD (JosephMCAD_at_discussions.microsoft.com)
Date: 04/06/05

  • Next message: Derek Knudsen: "RE: Rijndael decryption succeeds SOMETIMES"
    Date: Wed, 6 Apr 2005 08:37:02 -0700
    
    

      April 6, 2005

        I'll repeat what I said in my first post... Sorry for my abruptness! :-)

                                                                                 
                 Joseph MCAD

    "Kevin Spencer" wrote:

    > Well, darn, Joseph. How lucky we've been, considering the "lack of security"
    > on our system. In all the time it's run, we've had no problems, attacks,
    > down-time, viruses, trojan horses, or anything else, for several years now.
    >
    > Thanks for making me feel so lucky!
    >
    > Of course, there's always the possibility that we ARE security experts, but
    > thankfully, you have made us realize that it's all been pure luck. I guess
    > I'll just have to take the MCAD course to become one.
    >
    > --
    > ;-),
    >
    > Kevin Spencer
    > Microsoft MVP
    > ..Net Developer
    > What You Seek Is What You Get.
    >
    > "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
    > news:D6157E44-175D-4A25-84EC-FE6D5CE7207E@microsoft.com...
    > >
    > > April 6, 2005
    > >
    > > No security expert would ever agree with you + no security expert
    > > would
    > > say that you are security oriented with that frame of mind and lack of
    > > knowledge. Even if you only run your own code on your servers, developers
    > > STILL make mistakes! If you had a simple program that connected to your
    > > database with the SYSTEM account and it had one bug, the attacker could
    > > launch a SQL Injection attack and do everything from, corrupting the
    > > registery, stealing data, take files, delete audit logs, release your IP
    > > address, knock the server offline, and do damage that could result in not
    > > beening able to boot and therefore render the computer unrecoverable
    > > without
    > > changing physical pieces such as the harddrive. If you don't run web
    > > services, I bet you haven't disabled the Documentation protocol either. I
    > > also think that you haven't blocked .Net remoting and .rem and .soap
    > > requests. I can't even begin to give examples of what my happen. If all
    > > of
    > > your customer information was taken, then deleted, then audit logs
    > > cleared,
    > > and then damaged all of your web servers, your company's reputation would
    > > be
    > > permanently destroyed unless you work for a giganticly gigantic company
    > > such
    > > as Microsoft. With the way you have been able to run your programs as
    > > SYSTEM,
    > > I can already believe that you work for a small business and have no
    > > security
    > > experts on your team. (that is besides maybe yourself) I strongly
    > > recommend
    > > that you begin to switch back to least privilege........
    > >
    > >
    > > Joseph MCAD
    > >
    > >
    > >
    > > "Kevin Spencer" wrote:
    > >
    > >> Hi Juan,
    > >>
    > >> Sorry about the poor choice of words. You were correct. It wasn't
    > >> "self-contradictory" other than the fact that you started out by
    > >> seemingly
    > >> agreeing with Joseph, who made a blanket statement. You qualified your
    > >> statement, which actually indicated that you only PARTIALLY agreed with
    > >> Joseph.
    > >>
    > >> Blanket statements are almost always incorrect. Note that I didn't make a
    > >> blanket statement there! Blanket statements are only useful to lazy
    > >> people
    > >> or people that don't have the time to research the reality behind them.
    > >>
    > >> Telling people that you CAN safely run ASP.Net under the System account
    > >> under the right circumstances is not likely to get anyone in trouble.
    > >> Note
    > >> that I didn't RECOMMEND it. If people misunderstand, they aren't
    > >> listening
    > >> diligently, and are therefore responsible for their own actions.
    > >>
    > >> I don't like to hide the truth from people in the fear that they will
    > >> misunderstand it. Misunderstanding is not truth. It is a lie that someone
    > >> tells themself. What I said was perfectly true. What Joseph said was
    > >> implerfectly true. What you said was perfectly true.
    > >>
    > >> The account under which ASP.Net runs is configurable, and includes
    > >> "System."
    > >> Don't tell me that Microsoft made a mistake, by allowing people to do
    > >> something they should NEVER do! ;-)
    > >>
    > >> --
    > >> HTH,
    > >>
    > >> Kevin Spencer
    > >> Microsoft MVP
    > >> ..Net Developer
    > >> What You Seek Is What You Get.
    > >>
    > >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
    > >> news:uqwwfvqOFHA.3444@tk2msftngp13.phx.gbl...
    > >> > re:
    > >> >> Hang on a minute guys. This is self-contradictory:
    > >> >
    > >> > No, it is not.
    > >> >
    > >> > re:
    > >> >> In other words, it is either too dangerous to run it in as the System
    > >> >> account, or it is USUALLY too dangerous to run it as the System
    > >> >> account.
    > >> >> Which one is true?
    > >> >
    > >> > You're the one making *that* distinction.
    > >> >
    > >> > What I stated is :
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >
    > >> > re:
    > >> >> The reason I ask is that we run it as System, and have for years. Why?
    > >> >> Because it is our servers, and nobody else's.
    > >> >
    > >> > If you feel comfortable with that, feel free.
    > >> >
    > >> > But, please, don't issue a recommendation to
    > >> > "run ASP.NET under the System account".
    > >> >
    > >> > That's liable to get a lot of people into trouble.
    > >> >
    > >> > Getting away from having to use an account with excessive privileges
    > >> > is the reason why, first, the ASP.NET account was changed from
    > >> > System to ASPNET and then, later, to Network Service, when
    > >> > even ASPNET was considered to have too many privileges.
    > >> >
    > >> > That's almost as bad as running a server logged in as "Administrator".
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > Juan T. Llibre
    > >> > ASP.NET MVP
    > >> > http://asp.net.do/foros/
    > >> > Foros de ASP.NET en Español
    > >> > Ven, y hablemos de ASP.NET...
    > >> > ======================
    > >> >
    > >> > "Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
    > >> > news:eHhcKjqOFHA.904@tk2msftngp13.phx.gbl...
    > >> >> Hang on a minute guys. This is self-contradictory:
    > >> >>
    > >> >>>> It is too dangerous to run it as SYSTEM!
    > >> >>
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >>
    > >> >> In other words, it is either too dangerous to run it in as the System
    > >> >> account, or it is USUALLY too dangerous to run it as the System
    > >> >> account.
    > >> >> Which one is true?
    > >> >>
    > >> >> The reason I ask is that we run it as System, and have for years. Why?
    > >> >> Because it is our servers, and nobody else's. We are not a hosting
    > >> >> service. And I am in charge of the software that goes on it.
    > >> >>
    > >> >> Most executable applications run under the System account.
    > >> >>
    > >> >> --
    > >> >> HTH,
    > >> >>
    > >> >> Kevin Spencer
    > >> >> Microsoft MVP
    > >> >> .Net Developer
    > >> >> What You Seek Is What You Get.
    > >> >>
    > >> >> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
    > >> >> news:eyrg$mnOFHA.716@TK2MSFTNGP10.phx.gbl...
    > >> >>> re:
    > >> >>>>I can't emphasize this enough!
    > >> >>>
    > >> >>> Neither can I.
    > >> >>>
    > >> >>> The *only* reason to change the account used for ASP.NET
    > >> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
    > >> >>> was to be able to run ASP.NET in a less-dangerous security context.
    > >> >>>
    > >> >>> It's amazing to see that this is being deliberately reverted.
    > >> >>>
    > >> >>> re:
    > >> >>>>Sorry for my abruptness. :-)
    > >> >>>
    > >> >>> I thought you restrained yourself admirably! :-)
    > >> >>>
    > >> >>> For developers to deliberately, or maybe unknowingly,
    > >> >>> expose themselves to security risks after a product's
    > >> >>> security configuration was changed to protect them,
    > >> >>> requires a good rap on the knuckles.
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>> Juan T. Llibre
    > >> >>> ASP.NET MVP
    > >> >>> http://asp.net.do/foros/
    > >> >>> Foros de ASP.NET en Español
    > >> >>> Ven, y hablemos de ASP.NET...
    > >> >>> ======================
    > >> >>>
    > >> >>> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
    > >> >>> news:3C012C76-527C-4A82-8A27-38B70B4B2851@microsoft.com...
    > >> >>>>
    > >> >>>> April 5, 2005
    > >> >>>>
    > >> >>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
    > >> >>>> Certified
    > >> >>>> Application Developer and one of the topics I happen to be certified
    > >> >>>> in
    > >> >>>> is
    > >> >>>> Web Applications and Security. I am not familiar with ClrProfiler,
    > >> >>>> but
    > >> >>>> I
    > >> >>>> HEAVILY am in doubt that it requires the System. I think that the
    > >> >>>> old
    > >> >>>> post
    > >> >>>> was just doing a "quick fix". I am sure that if you were having
    > >> >>>> almost
    > >> >>>> any
    > >> >>>> problem on your computer, it would be fixed by using the System
    > >> >>>> account. For
    > >> >>>> this reason, I doubt that the person was really knowing what was
    > >> >>>> required. I
    > >> >>>> strongly encourage you to research further, or disconnect the
    > >> >>>> computer
    > >> >>>> from
    > >> >>>> the internet and from any intranet whose computers connect to the
    > >> >>>> internet.
    > >> >>>> Then immediately switch back to ASPNET as soon as you are done. I
    > >> >>>> can't
    > >> >>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
    > >> >>>>
    > >> >>>>
    > >> >>>> Joseph MCAD
    > >> >>>>
    > >> >>>>
    > >> >>>>
    > >> >>>> "Zeng" wrote:
    > >> >>>>
    > >> >>>>> Hi,
    > >> >>>>>
    > >> >>>>> I'm running ClrProfiler for the first time to profile my web app,
    > >> >>>>> and
    > >> >>>>> it
    > >> >>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
    > >> >>>>> common
    > >> >>>>> language runtime - this is the time to load your test page." even
    > >> >>>>> after I
    > >> >>>>> launched my app and aspnet_wp.exe is running.
    > >> >>>>>
    > >> >>>>> Do you know what I need to do to fix it? I also found some old
    > >> >>>>> post, a
    > >> >>>>> person mentioned that I need to make sure I need to
    > >> >>>>> run my aspnet with system account instead. Do you know how to do
    > >> >>>>> this
    > >> >>>>> account switching?
    > >> >>>>>
    > >> >>>>> Thanks for your comment and advice.
    > >> >>>>>
    > >> >>>>>
    > >> >>>>>
    > >> >>>
    > >> >>>
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >>
    >
    >
    >


  • Next message: Derek Knudsen: "RE: Rijndael decryption succeeds SOMETIMES"

    Relevant Pages

    • RE: Hacking to Xp box
      ... Aren't there any more important servers than CEO box? ... In what aspect do you need better security? ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: How to run aspnet with system account
      ... In all the time it's run, we've had no problems, attacks, ... > Of course, there's always the possibility that we ARE security experts, but ... Even if you only run your own code on your servers, ... >> permanently destroyed unless you work for a giganticly gigantic company ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Risks Digest 27.16
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Security Firm Bit9 Hacked, Used to Spread Malware Security Firm ... Super Bowl blackout was caused by electrical relay ... The timing of the attacks coincided ...
      (comp.risks)
    • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
      ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
      (soc.retirement)
    • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
      ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
      (soc.retirement)