Clarification: IUSR access to the ASP.NET temp folder

Discussion in 'ASP .Net Security' started by pj_servadmin, Jun 13, 2005.

  1. pj_servadmin

    pj_servadmin Guest

    Non-DC, Win 2k3 IIS 6.0 configured accounts. Anonymous User:
    domain\IUSR_<appName>, Application Pool User: domain\<appPoolName>

    I have used NTFS security auditing to confirm that the domain\IUSR_<appName>
    account is attempting access to the \Temporary ASP.NET Files\<appName>
    folder, as shown by the event listed at the end of this post. Resulting error
    message shown at the end of this post as well.

    In a default configuration, Network Service would have been the identity
    that ran the application pool and IUSR_<machineName> would have allowed
    anonymous access. That folder has NTFS Full access for Network Service, Local
    Service, SYSTEM, IIS_WPG, etc. Notably, IUSR_* is absent, but retains NTFS
    Read rights by virtue of being part of Domain Users group, which is part of
    Local Users group.

    So the questions are:
    Is that correct that a default configuration would have Network Service
    accessing the \Temporary ASP.NET Files\ directory? (not IUSR_<machineName>,
    right?)

    What are the security implications of giving the IUSR_<appName> account NTFS
    full access to the \Temporary ASP.NET Files\ directory?

    What is the \Temporary ASP.NET Files\ directory actually used for?


    *************************
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 560
    Date: 6/13/2005
    Time: 9:58:07 AM
    User: DEPT\IUSR_<appName>
    Computer: CARPUS
    Description:
    Object Open:
    Object Server: Security
    Object Type: File
    Object Name: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
    ASP.NET Files\<appName>
    Handle ID: -
    Operation ID: {0,12699212}
    Process ID: 2016
    Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
    Primary User Name: <appPoolName>
    Primary Domain: DEPT
    Primary Logon ID: (0x0,0x985392)
    Client User Name: IUSR_<appName>
    Client Domain: DEPT
    Client Logon ID: (0x0,0xBF76A2)
    Accesses: SYNCHRONIZE
    ReadData (or ListDirectory)
    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0x100001


    ***************************
    Server Error in '/<appName>' Application.
    --------------------------------------------------------------------------------

    Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
    ASP.NET Files\<appName>\83d3a3b4\56768e79" is denied.
    Description: An unhandled exception occurred during the execution of the
    current web request. Please review the stack trace for more information about
    the error and where it originated in the code.

    Exception Details: System.UnauthorizedAccessException: Access to the path
    "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
    Files\<appName>\83d3a3b4\56768e79" is denied.

    ASP.NET is not authorized to access the requested resource. Consider
    granting access rights to the resource to the ASP.NET request identity.
    ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
    Network Service on IIS 6) that is used if the application is not
    impersonating. If the application is impersonating via <identity
    impersonate="true"/>, the identity will be the anonymous user (typically
    IUSR_MACHINENAME) or the authenticated request user.

    To grant ASP.NET write access to a file, right-click the file in Explorer,
    choose "Properties" and select the Security tab. Click "Add" to add the
    appropriate user or group. Highlight the ASP.NET account, and check the boxes
    for the desired access.

    Source Error:

    An unhandled exception was generated during the execution of the current web
    request. Information regarding the origin and location of the exception can
    be identified using the exception stack trace below.

    Stack Trace:

    [UnauthorizedAccessException: Access to the path
    "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
    Files\<appName>\83d3a3b4\56768e79" is denied.]
    System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
    System.IO.Directory.InternalCreateDirectory(String fullPath, String path)
    +632
    System.IO.Directory.CreateDirectory(String path) +195
    System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext
    context) +85

    System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext
    context) +97

    System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
    System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation()
    +91
    System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean
    fCreateIfNotFound) +148
    System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
    System.Web.UI.TemplateParser.GetParserCacheItem() +88
    System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String
    inputFile, HttpContext context, ApplicationFileParser& parser) +171
    System.Web.HttpApplicationFactory.CompileApplication(HttpContext context)
    +43
    System.Web.HttpApplicationFactory.Init(HttpContext context) +484
    System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext
    context) +170
    System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414
    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
    Version:1.1.4322.573
     
    pj_servadmin, Jun 13, 2005
    #1
    1. Advertising

  2. pj_servadmin

    pj_servadmin Guest

    More information:
    The content for the site is across a UNC share, so it appears that the
    request transitions into the configured anonymous user accound
    (IUSR_<appName>) to retrieve the file, and then attempts to process it, but
    the dynamic compilation requires that the compiled files get stored in the
    \Temporary ASP.NET Files\ folder, a folder that IUSR_<appName> has only read
    rights to.

    Maybe the question now is: is there a way to get the IUSR account to revert
    to self (originally the application Pool UserID) automatically before
    attempting compilation?

    Thanks in advance!



    "pj_servadmin" wrote:

    > Non-DC, Win 2k3 IIS 6.0 configured accounts. Anonymous User:
    > domain\IUSR_<appName>, Application Pool User: domain\<appPoolName>
    >
    > I have used NTFS security auditing to confirm that the domain\IUSR_<appName>
    > account is attempting access to the \Temporary ASP.NET Files\<appName>
    > folder, as shown by the event listed at the end of this post. Resulting error
    > message shown at the end of this post as well.
    >
    > In a default configuration, Network Service would have been the identity
    > that ran the application pool and IUSR_<machineName> would have allowed
    > anonymous access. That folder has NTFS Full access for Network Service, Local
    > Service, SYSTEM, IIS_WPG, etc. Notably, IUSR_* is absent, but retains NTFS
    > Read rights by virtue of being part of Domain Users group, which is part of
    > Local Users group.
    >
    > So the questions are:
    > Is that correct that a default configuration would have Network Service
    > accessing the \Temporary ASP.NET Files\ directory? (not IUSR_<machineName>,
    > right?)
    >
    > What are the security implications of giving the IUSR_<appName> account NTFS
    > full access to the \Temporary ASP.NET Files\ directory?
    >
    > What is the \Temporary ASP.NET Files\ directory actually used for?
    >
    >
    > *************************
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Object Access
    > Event ID: 560
    > Date: 6/13/2005
    > Time: 9:58:07 AM
    > User: DEPT\IUSR_<appName>
    > Computer: CARPUS
    > Description:
    > Object Open:
    > Object Server: Security
    > Object Type: File
    > Object Name: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
    > ASP.NET Files\<appName>
    > Handle ID: -
    > Operation ID: {0,12699212}
    > Process ID: 2016
    > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
    > Primary User Name: <appPoolName>
    > Primary Domain: DEPT
    > Primary Logon ID: (0x0,0x985392)
    > Client User Name: IUSR_<appName>
    > Client Domain: DEPT
    > Client Logon ID: (0x0,0xBF76A2)
    > Accesses: SYNCHRONIZE
    > ReadData (or ListDirectory)
    > Privileges: -
    > Restricted Sid Count: 0
    > Access Mask: 0x100001
    >
    >
    > ***************************
    > Server Error in '/<appName>' Application.
    > --------------------------------------------------------------------------------
    >
    > Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
    > ASP.NET Files\<appName>\83d3a3b4\56768e79" is denied.
    > Description: An unhandled exception occurred during the execution of the
    > current web request. Please review the stack trace for more information about
    > the error and where it originated in the code.
    >
    > Exception Details: System.UnauthorizedAccessException: Access to the path
    > "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
    > Files\<appName>\83d3a3b4\56768e79" is denied.
    >
    > ASP.NET is not authorized to access the requested resource. Consider
    > granting access rights to the resource to the ASP.NET request identity.
    > ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
    > Network Service on IIS 6) that is used if the application is not
    > impersonating. If the application is impersonating via <identity
    > impersonate="true"/>, the identity will be the anonymous user (typically
    > IUSR_MACHINENAME) or the authenticated request user.
    >
    > To grant ASP.NET write access to a file, right-click the file in Explorer,
    > choose "Properties" and select the Security tab. Click "Add" to add the
    > appropriate user or group. Highlight the ASP.NET account, and check the boxes
    > for the desired access.
    >
    > Source Error:
    >
    > An unhandled exception was generated during the execution of the current web
    > request. Information regarding the origin and location of the exception can
    > be identified using the exception stack trace below.
    >
    > Stack Trace:
    >
    > [UnauthorizedAccessException: Access to the path
    > "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
    > Files\<appName>\83d3a3b4\56768e79" is denied.]
    > System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
    > System.IO.Directory.InternalCreateDirectory(String fullPath, String path)
    > +632
    > System.IO.Directory.CreateDirectory(String path) +195
    > System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext
    > context) +85
    >
    > System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext
    > context) +97
    >
    > System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
    > System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation()
    > +91
    > System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean
    > fCreateIfNotFound) +148
    > System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
    > System.Web.UI.TemplateParser.GetParserCacheItem() +88
    > System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String
    > inputFile, HttpContext context, ApplicationFileParser& parser) +171
    > System.Web.HttpApplicationFactory.CompileApplication(HttpContext context)
    > +43
    > System.Web.HttpApplicationFactory.Init(HttpContext context) +484
    > System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext
    > context) +170
    > System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414
    > --------------------------------------------------------------------------------
    > Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
    > Version:1.1.4322.573
     
    pj_servadmin, Jun 13, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    586
    Mark P
    May 9, 2005
  2. Bragadiru

    Access denied to ASP.NET temp folder

    Bragadiru, Feb 16, 2007, in forum: ASP .Net Security
    Replies:
    0
    Views:
    216
    Bragadiru
    Feb 16, 2007
  3. AVB
    Replies:
    2
    Views:
    215
    Tom Kaminski [MVP]
    Sep 14, 2005
  4. A. Farber
    Replies:
    3
    Views:
    286
    Ben Morrow
    Mar 3, 2004
  5. PerlFAQ Server
    Replies:
    0
    Views:
    278
    PerlFAQ Server
    Apr 26, 2011
Loading...

Share This Page