NTFS rights not honored

Discussion in 'ASP .Net Security' started by Pål Andreassen, Dec 16, 2003.

  1. Running Windows 2003 Server
    Framework 1.1

    A site is configured to use integrated security (in IIS 6)
    Windows autentication and user impersonation in web.config
    <identity impersonate="true" />
    <authentication mode="Windows" />

    I've got a ASPX page that lists folders and files from a predefined
    location on the server. These folders and files have access rights set to
    them by NTFS security. The problem is that everyone can see every file
    and
    folder, even though NTFS does not permit them.

    How can I expose a file structure for browsing through ASP.NET and
    still honouring NTFS file rights?


    --
    Pål Andreassen

    (ROT13 to reply)
     
    Pål Andreassen, Dec 16, 2003
    #1
    1. Advertising

  2. You say that everyone can see every file and folder. What you mean is that
    your ASP page will DISPLAY every file and folder, do you not? The reason I
    say that is, there is only ONE account under which that ASP.Net application
    runs, and it is the ASP.Net worker process that is looking at the files and
    folders, and displaying information about them in the browser. The user is
    only looking at the browser, which doesn't require any special permission,
    unless the web site itself requires a Windows login to be viewed, and even
    then, that doesn't affect what user account your ASP.Net worker process is
    running under. It only affects who can view that page.

    --
    HTH,
    Kevin Spencer
    ..Net Developer
    Microsoft MVP
    Big things are made up
    of lots of little things.

    "Pål Andreassen" <> wrote in message
    news:Xns9453731695856cnnynaqernffragevzna@207.46.248.16...
    > Running Windows 2003 Server
    > Framework 1.1
    >
    > A site is configured to use integrated security (in IIS 6)
    > Windows autentication and user impersonation in web.config
    > <identity impersonate="true" />
    > <authentication mode="Windows" />
    >
    > I've got a ASPX page that lists folders and files from a predefined
    > location on the server. These folders and files have access rights set to
    > them by NTFS security. The problem is that everyone can see every file
    > and
    > folder, even though NTFS does not permit them.
    >
    > How can I expose a file structure for browsing through ASP.NET and
    > still honouring NTFS file rights?
    >
    >
    > --
    > Pål Andreassen
    >
    > (ROT13 to reply)
     
    Kevin Spencer, Dec 16, 2003
    #2
    1. Advertising

  3. Since you have Impersonation set to true in the config file this means that
    the IIS authenticated user will be the identity used to access resources
    when the request is made. What type of authentication in IIS are you using.
    If you have it set up to use anonymous then the anonymous user will be the
    account who is accessing the resources. In order to get a better idea what
    who is accessing what you may want to download and run filemon
    (http://www.sysinternals.com). It will list the account that is being used
    to utilize resources. Just run it while you are making a request for the
    page.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Holly
     
    Holly Mazerolle, Dec 16, 2003
    #3
  4. (Holly Mazerolle) wrote in
    news::

    > Since you have Impersonation set to true in the config file this means
    > that the IIS authenticated user will be the identity used to access
    > resources when the request is made. What type of authentication in IIS
    > are you using. If you have it set up to use anonymous then the
    > anonymous user will be the account who is accessing the resources. In
    > order to get a better idea what who is accessing what you may want to
    > download and run filemon (http://www.sysinternals.com). It will list
    > the account that is being used to utilize resources. Just run it while
    > you are making a request for the page.


    Thanks. I've used filemon before, but did not think of it now. In IIS I'm
    using Integrated security. Basic and anonymous is turned off.

    Since I've got impersonation on in web.config I though the request would
    be run as the actual logged in user, and not ASPNET.

    --
    Pål Andreassen

    (ROT13 to reply)
     
    Pål Andreassen, Dec 16, 2003
    #4
  5. > Since I've got impersonation on in web.config I though the request would
    be run as the actual logged in user, and not ASPNET.
    Yes, I think is what is happening for you.

    > The problem is that everyone can see every file and folder, even though

    NTFS does not permit them
    There is a difference between being able to _see_ the file in a directory
    listing and actually being able to read it. Can if you can't read the file
    you can see it! You will need to check whether you can actually read the
    file before showing it in the list to the user.
     
    Norman Rasmussen, Dec 17, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pål Andreassen

    NTFS rights not honored

    Pål Andreassen, Dec 16, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    406
    Kevin Spencer
    Dec 16, 2003
  2. Richard Thoms
    Replies:
    6
    Views:
    4,942
    Richard Thoms
    Dec 2, 2005
  3. =?Utf-8?B?Y2hheg==?=

    TraceOutputOptions not honored

    =?Utf-8?B?Y2hheg==?=, Aug 25, 2006, in forum: ASP .Net
    Replies:
    3
    Views:
    5,303
    Walter Wang [MSFT]
    Aug 29, 2006
  4. RichardOnRails
    Replies:
    2
    Views:
    101
    RichardOnRails
    Nov 6, 2008
  5. Richard Lionheart
    Replies:
    8
    Views:
    133
    Thomas 'PointedEars' Lahn
    Mar 16, 2006
Loading...

Share This Page