Re: How to run aspnet with system account

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 04/06/05 

Date: Wed, 6 Apr 2005 12:48:55 -0500

Wasn't the original point of this to run CLR Profiler on your ASP.NET app?
If that is the case, you do need your worker process to have much higher
privileges than the standard ASPNET or NETWORK SERVICE account. This is due
to the nature of the profiler (requires debug privileges or something; can't
remember details).

In this case, you have two choices. You can either configure a new worker
process identity with the required privileges and set it up for ASPNET or
you can just switch to SYSTEM. SYSTEM is what MS mentions to try in their
documentation as it is the path of least resistance.

I don't think anyone would argue that running ASP.NET in production under
SYSTEM is a very bad idea from a security perspective. However, we are just
talking about doing some code profiling here. The CLR Profiler will make
your web application so slow that you would never consider running it in
production anyway (seconds per request, not the other way around), so I
don't see an issue here. Just change it back when you are done profiling.

Joe K.

"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:eHhcKjqOFHA.904@tk2msftngp13.phx.gbl...
> Hang on a minute guys. This is self-contradictory:
>
>>> It is too dangerous to run it as SYSTEM!
>
>> The *only* reason to change the account used for ASP.NET
>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> was to be able to run ASP.NET in a less-dangerous security context.
>
> In other words, it is either too dangerous to run it in as the System
> account, or it is USUALLY too dangerous to run it as the System account.
> Which one is true?
>
> The reason I ask is that we run it as System, and have for years. Why?
> Because it is our servers, and nobody else's. We are not a hosting
> service. And I am in charge of the software that goes on it.
>
> Most executable applications run under the System account.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> What You Seek Is What You Get.
>
> "Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
> news:eyrg$mnOFHA.716@TK2MSFTNGP10.phx.gbl...
>> re:
>>>I can't emphasize this enough!
>>
>> Neither can I.
>>
>> The *only* reason to change the account used for ASP.NET
>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> was to be able to run ASP.NET in a less-dangerous security context.
>>
>> It's amazing to see that this is being deliberately reverted.
>>
>> re:
>>>Sorry for my abruptness. :-)
>>
>> I thought you restrained yourself admirably! :-)
>>
>> For developers to deliberately, or maybe unknowingly,
>> expose themselves to security risks after a product's
>> security configuration was changed to protect them,
>> requires a good rap on the knuckles.
>>
>>
>>
>>
>> Juan T. Llibre
>> ASP.NET MVP
>> http://asp.net.do/foros/
>> Foros de ASP.NET en Espaņol
>> Ven, y hablemos de ASP.NET...
>> ======================
>>
>> "Joseph MCAD" <JosephMCAD@discussions.microsoft.com> wrote in message
>> news:3C012C76-527C-4A82-8A27-38B70B4B2851@microsoft.com...
>>>
>>> April 5, 2005
>>>
>>> It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
>>> Application Developer and one of the topics I happen to be certified in
>>> is
>>> Web Applications and Security. I am not familiar with ClrProfiler, but I
>>> HEAVILY am in doubt that it requires the System. I think that the old
>>> post
>>> was just doing a "quick fix". I am sure that if you were having almost
>>> any
>>> problem on your computer, it would be fixed by using the System account.
>>> For
>>> this reason, I doubt that the person was really knowing what was
>>> required. I
>>> strongly encourage you to research further, or disconnect the computer
>>> from
>>> the internet and from any intranet whose computers connect to the
>>> internet.
>>> Then immediately switch back to ASPNET as soon as you are done. I can't
>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
>>>
>>>
>>> Joseph MCAD
>>>
>>>
>>>
>>> "Zeng" wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm running ClrProfiler for the first time to profile my web app, and
>>>> it
>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>>>> common
>>>> language runtime - this is the time to load your test page." even after
>>>> I
>>>> launched my app and aspnet_wp.exe is running.
>>>>
>>>> Do you know what I need to do to fix it? I also found some old post, a
>>>> person mentioned that I need to make sure I need to
>>>> run my aspnet with system account instead. Do you know how to do this
>>>> account switching?
>>>>
>>>> Thanks for your comment and advice.
>>>>
>>>>
>>>>
>>
>>
>
>

Relevant Pages

  • Re: How to run aspnet with system account
    ... Wasn't the original point of this to run CLR Profiler on your ASP.NET app? ... you do need your worker process to have much higher ... or it is USUALLY too dangerous to run it as the System account. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Diagnosing root cause of .NET application using nearly 500 MB memo
    ... I've had some input on another group about the dump although I will explore ... I highly recomment getting a memory profiler to help see the mamanged heap ... You can use the free CLR Profiler ...
    (microsoft.public.dotnet.framework)
  • Hashtable Enumerator als Speicherfresser ?
    ... ein Hashtable-Enumerator nur die ganze Zeit neue Instanzen anlegt. ... Allerdings nennt mir z.B. der CLR Profiler folgenden Allocation-Stack: ... Next by Date: ...
    (microsoft.public.de.german.entwickler.dotnet.csharp)
  • RE: Accessing the CLR Heap at runtime?
    ... I am not aware of how the .Net Memory Profiler is implemented. ... "The .NET Profiling API and the DNProfiler Tool " ... ..Net CLR team also created a CLR Profiler with profiling API, ...
    (microsoft.public.dotnet.framework.clr)
Quantcast