Re: aspnet_isapi.dll security limit access to all but 1 file

What you want to do is technically impossible given your requirements.
What is not clear is an understanding of how the IIS 6.0 and ASP.Net
2.0 request pipelines intermingle, so you will want to read and
understand the following blog entries. I still have an unwritten blog
entry to explain what is actually failing with your Attempt #1.

http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wildcard-application-mapping-can-disable-Default-Document-resolution.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wildcard-application-mapping-is-not-catching-404s.aspx
http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx
http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Run-Console-Applications-from-IIS6-on-Windows-Server-2003-Part-2.aspx

The closest hack to get what you want is to configure aspnet_Isapi.dll
as a Wildcard application mapping.

The underlying issue is this - your custom authentication/authorization
protocol only applies wherever aspnet_isapi.dll applies, and
aspnet_isapi.dll only applies at the IIS level, not File/Directory
level. Thus, you must make sure that all resource access go through IIS
(and aspnet_isapi.dll) and not through NTFS File/Directory or anything
else on IIS.

The insecurity of the custom AuthN/AuthZ protocol is permanent because
its trusted computing base (TCB) is the process identity, which is
shared between tom and bob. Thus, if tom has access to that process
identity (such as by calling RevertToSelf() ), he can bypass your
AuthN/AuthZ protocol to access bob's resources. And this bypass is
by-design since the TCB is supposed to be able to access both tom and
bob's resources; it is the additional AuthN/AuthZ protocol on top of
the TCB that determines whether a tom can actually read bob's
resources.

The only way to have truly secured resources on a shared, multi-user
system is to have real user logins (i.e. real Windows users) for each
user. Because then your resources are locked to your own NT user token
and not shared user token (TCB), so there is no way to bypass security
protocol.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



Scanner2001 wrote:
I am trying to limit access to folders in the web per user. I have tried two
different approaches, neither of which I can get to work correctly. I have a
windows 2003 r2 server, asp.net 2.0, front page extensions installed.
My setup looks like this:
/webvirtualdirectory/users/tom/..
/webvirtualdirectory/users/bob/..
etc.. where the webvirtualdirectory is an application.

I am using forms authentication, using sql 2005. I want tom to be able to
access files such as html, pdf, jpg, etc that he dynamically creates or
upload to his folder, but not be able to access anything in bobs folder,
including html files. Likewise for bob. The users are created dynamically,
so I do not who they are ahead of time, nor could I manage them
individually.

Attempt 1:
I have tried adding an additional application extension mapping in the web
site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in the
users folder (i.e. users/bob), a web.config is dynamically created when the
user is created that gives the user rights to everything in that folder.
This does not work, no pdf's (or other files such as html) are served by the
server. I receive a
a.. Error Code 64: Host not available
a.. Background: The connection to the Web server was lost.

Attempt 2:
I have tried the web configuration tool, supplied with visual studio, to
limit access to the folder for the user, such as bob. This appears to have
no impact on limiting access to files that are not mapped to the
aspnet_isapi.dll. So basically no security on files or folders.

Now I also have some static content at the root level that I do want to
allow anonymous access to, such as 1 pdf file and 1 html file. I believe the
site wide security is set properly for the remainder of the pages because if
I try to go an aspx page that is not explicitly allowed in the web.config,
the anonymous user is automatically redirected to a login page, and the page
is not shown.

Not sure what I am missing here, any help is greatly appreciated, or if you
think I should post to a different group.

Thanks,
Jeff

.

Relevant Pages

  • Re: Hey Ronx are you available
    ... Yes iis 5.1 is running ... Tom Willett ... :> then the FrontPage extensions are either corrupt or non-existent. ... :>> I added my userid to the permissions on the inetpub folder with full ...
    (microsoft.public.frontpage.programming)
  • Re: Hosting web and ftp sites for users without a domain
    ... so I created an FTP site in IIS and used my internal IP ... Just create a virtual folder on the FTP server ... Tom Kaminski IIS MVP ...
    (microsoft.public.inetserver.iis)
  • Re: adding users
    ... Thank you Tom. ... I turned off 'anon user' on a folder at issue so only 'integrated win auth' ... >> am not able to restrict access to a set of authorized users. ... > IIS 6 Documentation ...
    (microsoft.public.inetserver.iis)
  • Re: VS.net, IIS 5.1, SQL server
    ... Check next resources ... Val Mazur ... "Tom C." wrote in message ... How do I set MS Access to give permission for IIS to ...
    (microsoft.public.data.ado)
  • RE: c1030af7 on SBS2003, after installing ProjectServer 2003 and all u
    ... Thank you for posting in SBS newsgroup. ... If no other virtual folders exist in IIS, the best way should be restoring ... In IIS, select Web Sites, and note the "Identifier" for Default Web Site ... | folder insted of the /projectserver folder work anymore. ...
    (microsoft.public.windows.server.sbs)