authentication and impersonation question

Discussion in 'ASP .Net Security' started by djc, Jul 19, 2006.

  1. djc

    djc Guest

    For asp.net applications:
    1) when asp.net impersonation is not set, authentication by IIS happens
    first (if anonymous access is enabled then identity is the IUSR_ account),
    but any resource access (read/write for files etc) is done by the asp.net
    process account (the IIS application pool process account for IIS 6, network
    service). This means NTFS permissions need to be set for that asp.net
    process (or IIS app pool process) account to control access to resources.
    True/false? correct me if/where wrong?

    2) when asp.net impersonation *is* set, authentication by IIS happens first
    (if anonymous access is enabled then identity is the IUSR_ account), and any
    resource access (read/write for files etc) is done by the IIS account, IUSR_
    if anonymous. This means NTFS permissions need to be set for that IUSR_
    account to control access to resources. True/false? correct me if/where
    wrong?

    I don't think I have this straight yet.
     
    djc, Jul 19, 2006
    #1
    1. Advertising

  2. Hi,

    yeah that can be confusing:


    > For asp.net applications:
    > 1) when asp.net impersonation is not set, authentication by IIS
    > happens
    > first (if anonymous access is enabled then identity is the IUSR_
    > account),
    > but any resource access (read/write for files etc) is done by the
    > asp.net
    > process account (the IIS application pool process account for IIS 6,
    > network
    > service). This means NTFS permissions need to be set for that asp.net
    > process (or IIS app pool process) account to control access to
    > resources.
    > True/false? correct me if/where wrong?


    Control access is too much. You need read/read execute/list folder contents
    for the worker process
    In addition the FileAuthorizationModule checks if read access is allowed
    on the requested resource for the client (either the auth client or IUSR).


    > 2) when asp.net impersonation *is* set, authentication by IIS happens
    > first (if anonymous access is enabled then identity is the IUSR_
    > account), and any resource access (read/write for files etc) is done
    > by the IIS account, IUSR_ if anonymous. This means NTFS permissions
    > need to be set for that IUSR_ account to control access to resources.
    > True/false? correct me if/where wrong?
    >
    > I don't think I have this straight yet.
    >


    right. Again read/rx/lfc is enough
     
    Dominick Baier, Jul 19, 2006
    #2
    1. Advertising

  3. djc

    djc Guest

    thanks Dominick,

    when I said 'control access' I just meant that was the means by which to
    control access, not to assign permissions to the aspnet process or IUSR_
    that would allow 'them' to control access. I'm just looking to clarify under
    which scenarios what particular account needs ntfs access, whether read or
    rx, or I guess write in the case the application has some feature that
    allows the user to upload files.

    thanks again.

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Hi,
    > yeah that can be confusing:
    >
    >
    >> For asp.net applications:
    >> 1) when asp.net impersonation is not set, authentication by IIS
    >> happens
    >> first (if anonymous access is enabled then identity is the IUSR_
    >> account),
    >> but any resource access (read/write for files etc) is done by the
    >> asp.net
    >> process account (the IIS application pool process account for IIS 6,
    >> network
    >> service). This means NTFS permissions need to be set for that asp.net
    >> process (or IIS app pool process) account to control access to
    >> resources.
    >> True/false? correct me if/where wrong?

    >
    > Control access is too much. You need read/read execute/list folder
    > contents for the worker process
    > In addition the FileAuthorizationModule checks if read access is allowed
    > on the requested resource for the client (either the auth client or IUSR).
    >
    >
    >> 2) when asp.net impersonation *is* set, authentication by IIS happens
    >> first (if anonymous access is enabled then identity is the IUSR_
    >> account), and any resource access (read/write for files etc) is done
    >> by the IIS account, IUSR_ if anonymous. This means NTFS permissions
    >> need to be set for that IUSR_ account to control access to resources.
    >> True/false? correct me if/where wrong?
    >>
    >> I don't think I have this straight yet.
    >>

    >
    > right. Again read/rx/lfc is enough.
    >
    >
     
    djc, Jul 20, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. techfuzz
    Replies:
    1
    Views:
    1,356
    Yan-Hong Huang[MSFT]
    Aug 12, 2003
  2. Marlon
    Replies:
    1
    Views:
    2,910
    Miha Markic [MVP C#]
    Oct 13, 2004
  3. Eric
    Replies:
    1
    Views:
    549
    Patrick.O.Ige
    Oct 19, 2005
  4. Eric
    Replies:
    1
    Views:
    370
    Tasos Vogiatzoglou
    Oct 21, 2005
  5. Enrico Sabbadin
    Replies:
    3
    Views:
    965
    Enrico Sabbadin
    Jul 18, 2007
Loading...

Share This Page