ASPNET User ID - Newbie ?'s, apologies

Discussion in 'ASP .Net Security' started by John, Dec 9, 2003.

  1. John

    John Guest

    Sorry for the newbie questions but after looking over
    this and other newsgroups I haven't come across the
    answers:

    I'm trying to determine how I got a User ID = ASPNET with
    "user" privilages on my Win2K desktop. What it's there
    for and what would happen if I deleted or disabled the
    account. Can anyone point me to some direct reading
    material on this - or provide a simple answer? As you can
    see from the questions, I'm fairly new to this subject.
    John, Dec 9, 2003
    #1
    1. Advertising

  2. The ASPNET account is the user account that is set up for ASP.NET to run
    under. It runs under its own account so that this account can be
    specifically granted a limited set of privileges - just enough to run
    ASP.NET applications, and no more. If you are not doing ASP.NET web
    development, then this account isn't doing anything useful for you, nor is
    it harming you.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows Client
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "John" <> wrote in message
    news:00a401c3be87$3976df60$...
    > Sorry for the newbie questions but after looking over
    > this and other newsgroups I haven't come across the
    > answers:
    >
    > I'm trying to determine how I got a User ID = ASPNET with
    > "user" privilages on my Win2K desktop. What it's there
    > for and what would happen if I deleted or disabled the
    > account. Can anyone point me to some direct reading
    > material on this - or provide a simple answer? As you can
    > see from the questions, I'm fairly new to this subject.
    Chris Jackson, Dec 9, 2003
    #2
    1. Advertising

  3. John

    John Guest

    Chris, Thanks for your speedy and helpful reply. My
    concern as a 'Info Security' guy is that someone could make
    use of a 'standard' ID for purposes other than I might
    intend - OR might use such an ID as an opening point in a
    scripted exploit that I might be able to avoid if I
    actually knew what the heck I was looking at re this ID.
    From your response, it looks as though I'm not going to
    have any problems if I disable the account, so I think
    that's my best tactic for the moment. I would still like
    to know a little more about this...any recommended info
    sites or reading? Again, thanks for your input. John

    >-----Original Message-----
    >The ASPNET account is the user account that is set up for

    ASP.NET to run
    >under. It runs under its own account so that this account

    can be
    >specifically granted a limited set of privileges - just

    enough to run
    >ASP.NET applications, and no more. If you are not doing

    ASP.NET web
    >development, then this account isn't doing anything useful

    for you, nor is
    >it harming you.
    >
    >--
    >Chris Jackson
    >Software Engineer
    >Microsoft MVP - Windows Client
    >Windows XP Associate Expert
    >--
    >More people read the newsgroups than read my email.
    >Reply to the newsgroup for a faster response.
    >(Control-G using Outlook Express)
    >--
    >
    >"John" <> wrote in

    message
    >news:00a401c3be87$3976df60$...
    >> Sorry for the newbie questions but after looking over
    >> this and other newsgroups I haven't come across the
    >> answers:
    >>
    >> I'm trying to determine how I got a User ID = ASPNET

    with
    >> "user" privilages on my Win2K desktop. What it's there
    >> for and what would happen if I deleted or disabled the
    >> account. Can anyone point me to some direct reading
    >> material on this - or provide a simple answer? As you

    can
    >> see from the questions, I'm fairly new to this subject.

    >
    >
    >.
    >
    John, Dec 9, 2003
    #3
  4. What more are you interested in knowing? It's a standard Windows user
    account, with limited privileges that will let it run ASP.NET sites and not
    much else. While it does have some rights (because ASP.NET requires some)
    it's definitely not admin, and it doesn't have a blank password. It's a
    system generated password as well. I don't consider it a security hole, but
    anything you aren't using can clearly be disabled. I don't believe it even
    installs if IIS is not present (although I can't verify this, because I
    don't have any boxes without IIS on them), and IIS is much more of a threat
    surface than a user account with limited privileges and a strong password
    is.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows Client
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "John" <> wrote in message
    news:1064e01c3be8c$6addde50$...
    > Chris, Thanks for your speedy and helpful reply. My
    > concern as a 'Info Security' guy is that someone could make
    > use of a 'standard' ID for purposes other than I might
    > intend - OR might use such an ID as an opening point in a
    > scripted exploit that I might be able to avoid if I
    > actually knew what the heck I was looking at re this ID.
    > From your response, it looks as though I'm not going to
    > have any problems if I disable the account, so I think
    > that's my best tactic for the moment. I would still like
    > to know a little more about this...any recommended info
    > sites or reading? Again, thanks for your input. John
    >
    > >-----Original Message-----
    > >The ASPNET account is the user account that is set up for

    > ASP.NET to run
    > >under. It runs under its own account so that this account

    > can be
    > >specifically granted a limited set of privileges - just

    > enough to run
    > >ASP.NET applications, and no more. If you are not doing

    > ASP.NET web
    > >development, then this account isn't doing anything useful

    > for you, nor is
    > >it harming you.
    > >
    > >--
    > >Chris Jackson
    > >Software Engineer
    > >Microsoft MVP - Windows Client
    > >Windows XP Associate Expert
    > >--
    > >More people read the newsgroups than read my email.
    > >Reply to the newsgroup for a faster response.
    > >(Control-G using Outlook Express)
    > >--
    > >
    > >"John" <> wrote in

    > message
    > >news:00a401c3be87$3976df60$...
    > >> Sorry for the newbie questions but after looking over
    > >> this and other newsgroups I haven't come across the
    > >> answers:
    > >>
    > >> I'm trying to determine how I got a User ID = ASPNET

    > with
    > >> "user" privilages on my Win2K desktop. What it's there
    > >> for and what would happen if I deleted or disabled the
    > >> account. Can anyone point me to some direct reading
    > >> material on this - or provide a simple answer? As you

    > can
    > >> see from the questions, I'm fairly new to this subject.

    > >
    > >
    > >.
    > >
    Chris Jackson, Dec 9, 2003
    #4
  5. Take a look at the following article for more info:

    317012 INFO: Process and Request Identity in ASP.NET
    http://kb/article.asp?id=Q317012

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Holly Mazerolle, Dec 10, 2003
    #5
  6. Or, if you don't happen to be on the Microsoft LAN, you might try this link:

    http://support.microsoft.com/default.aspx?scid=kb;[LN];317012

    ;-)

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows Client
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "Holly Mazerolle" <> wrote in message
    news:...
    > Take a look at the following article for more info:
    >
    > 317012 INFO: Process and Request Identity in ASP.NET
    > http://kb/article.asp?id=Q317012
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    Chris Jackson, Dec 10, 2003
    #6
  7. Holly Mazerolle, Dec 10, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. simplibizgmj

    My apologies

    simplibizgmj, Feb 22, 2006, in forum: HTML
    Replies:
    2
    Views:
    462
    nice.guy.nige
    Feb 28, 2006
  2. John Benson

    apologies for a previous post mistitling

    John Benson, Dec 7, 2003, in forum: Python
    Replies:
    0
    Views:
    269
    John Benson
    Dec 7, 2003
  3. Tim Golden

    Apologies

    Tim Golden, Apr 2, 2004, in forum: Python
    Replies:
    1
    Views:
    399
    Peter Hansen
    Apr 2, 2004
  4. Steven O.
    Replies:
    4
    Views:
    380
    Horace
    Aug 17, 2005
  5. Brian Schuth
    Replies:
    0
    Views:
    260
    Brian Schuth
    Sep 8, 2003
Loading...

Share This Page