Re: Network service default permissions

Hi David,

Thanks for the answer, but if you don't mind I'd like to digg this
subject a little further. Maybe this isn't the best forum to ask those
questions, since the questions aren't strict iis related. I start asking
here only because "network service" is an account usually "associated" to
web services. If this post belong to somewhere else, just let me know. Also,
I'm not bringing the subject to point "flaws" or "security risks", my goal
is just get a deeper understanding of what is going on here.

Default configuration does not allow Network Service write/create access
to the filesystem, so what you describe is configuration that you or
someone else has customized and hence responsible for.

What I described was found in several different Windows 2003 Server
installations and as far as I know none of those received any custom
configuration regarding ACLs, however I'll not discard this possibility. I
belive it was a "next-next-finish" job, followed by the server's inclusion
into AD domain. I'll make a fresh install anyway in my development server
this week to check against what I state.

In the meantime, please correct me if I'm wrong since I'm not a
security specialist. In general ACL permissions are inhirited by parent
folders. With that in mind I perform the following steps:
1-I went to a non system partition (ie D:), and check the ACL
permissions on that folder. Network service was not listed there; checking
the "effective permission" for the D: drive however shows that "network
service" does have "Create Folder/Append Data" permission.
2- I then created a new folder, named "New Folder" with all
permissins inherited. again "Network service" is not listed in NTFS
permissions but checking the "effective permissions" reveals that now,
"network service" has a set of permissions equivalent to "modify".
3- Execute a simple ASPX page which creates a text file "D:\New
Folder\SomeFile.txt"; The site running the ASPX page is configured to allow
only anonymous request and the AppPoll identity was setted to "network
service".
4- The page was sucefully created being owned by network service (the
creator owner), which grants full controll over it. (I usually restrict
creator owner permissions in my "web application folders" to prevent that).

I checked on (c:\windows\repair) secsetup.inf and secD.inf of the
servers in question but didn't found anything there related this. I don't
discard however that I may be missing something here.
This brings me to the question: where default ACLs does came from (at
least for well know SIDs)? I mean, if the permission is not explicit
assigned into the driver/folder, how does windows calculate the effective
permission for the "network service"?

"Is this safe to be used" cannot be answered without knowing your security
requirements. Security is never absolute black/white and always relative
shades of grey, so it "depends" on knowing more information.

In this context I'm meaning as a general rule of thumb since the general
rule of thumb is to run web applications under network service account. I
totally agree that security is a grayed area. In this scenario, an web
application that perform file upload may lead to some insecure scenarios if
the admin does not explicity change the creator owner permission of the
folders in questions, which you have to agree with me, is not a common
recomendation found on KBs and articles.

File ACLs/Permissions and Privileges are two separate but interacting
concepts.

I'm refering only to ACL permissions. Sorry for the wrong terms used.

Cheers,

Eric.

ps.: i'm a fan of your blog!! thanks for the good information you bring to
us.


.

Relevant Pages

  • Re: How can I control folder permissions when creating a folder
    ... > I'll dig into the ACL stuff a bit more. ... > get into it was the idea of trying to figure out what permissions to add ... folder are the same on Win2K and WinXP? ... I hope that means your application's folders, ...
    (microsoft.public.dotnet.security)
  • Re: Folder permissions & security??
    ... Messing with permissions can create a mess - what follows comes from memory ... If you go under the security tab for the ACL it ... Now he can access the parent folder, ... cant access 3 of the 6 child folders on the drive nor can he edit the ACL ...
    (microsoft.public.windows.server.general)
  • Re: Problem with READ-ONLY access
    ... you added "user" permissions of Read to the ACL. ... > that is a member of domain users group on Windows 2000 ... > be able to create new folders and modify files. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Problem to update ACL using ADsSecurity from VBScript
    ... > myself to the ACL and I'll have a complete solution. ... >> ownership and permissions and then set them back that way after the ... >> Microsoft MVP (Windows Server System: ... >>> folders from one Server to another. ...
    (microsoft.public.windows.server.scripting)
  • Re: Win2k - Account Operator not working properly
    ... You very likely have other ACL issues other than what was mentioned and I can point them out here for you for free or you can pay someone $200-500 an hour to come check it out. ... In order for that to result in inheritence protection it means the schema had to be modified. ... set the account in the GUI to inherit from its parents. ... Used the delegation wizard, on the top level OU, to assign the desired permissions. ...
    (microsoft.public.windows.server.active_directory)
Loading