Securing Source Code between Virtual Directories

From: Bob Phillips (rphillip@radford.edu)
Date: 08/05/02

• Next message: Consultant®: "Re: Anonymous access Prompts Users for Password"
• Previous message: Paul Lynch: "Re: Anonymous access Prompts Users for Password"
• Next in thread: Bob Phillips: "Securing Source Code between Virtual Directories"
• Reply: Bob Phillips: "Securing Source Code between Virtual Directories"
• Reply: Stefan Schachner[MS]: "RE: Securing Source Code between Virtual Directories"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Bob Phillips" <rphillip@radford.edu>
Date: Mon, 5 Aug 2002 13:36:44 -0700

I have multiple users with virtual directories on the same
IIS server. The users do NOT have access to any IIS admin
tools. They do have file access to their own virtual
directory folder where they can place html, asp, mdb and
other files. In order to prevent one user from
programmatically accessing source code and data in another
user's directory while running in the context of an ASP
script each virtual directory has been assigned a
different local IUSR account for anonymous access.

I have added the .NET framework to the IIS server. I want
to establish similar security. If a user implements
impersonation so that ASP.NET processes run in the context
of their IUSR account data files (such as .mdb files) can
be easily secured by removing the ASPNET account from
the ACL of the data file. My question is how do I secure
source code? Since, even with impersonation turned on,
all compilation and configuration runs in the context of
the ASPNET account a user is forced to include the ASPNET
account in the ACL of their .aspx and .config files. How
can I prevent one virtual directory user/developer from
(with impersonation off) writing a script which
reads .aspx and/or configuration files from another user's
virtual directory? Am I missing something?

---

• Next message: Consultant®: "Re: Anonymous access Prompts Users for Password"
• Previous message: Paul Lynch: "Re: Anonymous access Prompts Users for Password"
• Next in thread: Bob Phillips: "Securing Source Code between Virtual Directories"
• Reply: Bob Phillips: "Securing Source Code between Virtual Directories"
• Reply: Stefan Schachner[MS]: "RE: Securing Source Code between Virtual Directories"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Getting aspx pages to render (have web.config) ... Did you install the .NET Framework on the IIS Server you are using? ... did you create a virtual directory pointing to the directory ... I saw a reference in one book that made ... > reference to using the local computer account named ... (microsoft.public.dotnet.framework.aspnet.security) RE: OWC 11 security problem connecting to AS ... only set the anonymous access for this virtual directory and grant the ... account to the anonymous access: ... Then change the data source of the pivottable control in the ... (microsoft.public.office.developer.web.components) Re: FTP permissions with IIS ... >this account ... >the anonymous user will not be able to cd to it. ... but I want to be able to set different permissions ... >> virtual directory shareddocs ... (microsoft.public.windowsxp.security_admin) Re: Accessing Virtural directory on remote machine ... ASP.NET runs as Network Service, ... account configured for Web Application Pools in IIS 6.0. ... create a virtual directory that points to a UNC ... If you are running in IIS6, then by default your code is running as ... (microsoft.public.dotnet.framework.aspnet.security) Help with IIS 6 FTP permission abnormality ... I've set up an IIS 6 FTP site assigning a local user ... I removed the account from the system ... provide ftp access (see User Access group settings ... Virtual directory hosted ... (microsoft.public.inetserver.iis.ftp)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)