Question about dotnet server security

J

Jeff Fink

We have a server with dotnet installed that is part of our domain. We're
using the server for web hosting. We don't want the users to be able to
access anything outside of their respective folders on the drive. Do we
need to do anything different that we would for a normal user without
dotnet? We already create a separate admin and anonymous account per web
site and set NTFS permissions accordingly. Is there anything else that
needs to happen to protect the machine from abusive dotnet users?

Thanks,
-Jeff
 
J

Jim Blizzard [MSFT]

Hi Jeff,

Thanks for posting to the newsgroup.

Run your ASP.NET web sites using a "least privileged" account, such as
ASPNET (on Windows 2000 and Windows XP) or Network Service (on Windows
Server 2003). Don't run it as SYSTEM, as this is a system-level account.

For the full scoop, you should take a look at:

* Improving Web Application Security: Threats and Countermeasures
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/ThreatCounter.asp)

and

* Building Secure ASP.NET Applications
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/secnetlpMSDN.asp?frame=true)

Hope this helps,
- bliz
--
Jim Blizzard, MCSD .NET
Community Developer Evangelist | http://www.microsoft.com/communities
Microsoft

Your Potential. Our Passion.

This posting is provided as is, without warranty, and confers no rights.
 
J

Jeff Fink

Jim Blizzard said:
Run your ASP.NET web sites using a "least privileged" account, such as
ASPNET (on Windows 2000 and Windows XP) or Network Service (on Windows
Server 2003). Don't run it as SYSTEM, as this is a system-level account.
Click to expand...

So I have a custom anonymous user (IUSR_myuser) and user account (myuser)
with NTFS permissions set to allow full control to the user's folder and no
other part of the disk. Looks like aspx pages only run if I also add
privileges to the folder for the ASPNET account. This worries me immensely.
Before .net, I set up my user folders so that only the user, the user's
anonymous account, and administrators could access the folder. This stops
myuser1 from writing an ASP page that goes through the disk and can view
myuser2's files. Now that the ASPX page is running the context of the
ASPNET account, what stops this from happening?

-Jeff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

error CS0016 in DotNet 2 with IIS6 after trying out CLR Profiler 7
Intermittent problem - with IIS or dotnet or? 2
question about IUSR_server and security 4
Question about windows integrated security 4
Public ASP.NET app and SQL Server security - best practices? 4
ASP.Net Web.config security question 7
ASP.NET 2.0 with UNC share - security restriction & impersonation 0
asp.net 2.0 security question 3

Members online

Total: 29 (members: 2, guests: 27)
Robots: 321

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,011
Latest member
AjaUqq1950

Latest Threads

Top