question about IUSR_server account

Discussion in 'ASP .Net Security' started by Bart, Mar 22, 2007.

  1. Bart

    Bart Guest

    Hi,

    i have an asp.net webapplication using Anonymous Authentification
    (IUSR_servername) in IIS.
    Account ASPNET is used for the aspx files.
    There are also old asp classic pages which run without problem.

    When looking at the permissions, all pages (aspx and asp) have account
    ASPNET set to Read and the database directory set to Read/Write.

    Nowhere i can see the account IUSR_servername; I thought account
    IUSR_servername acts as anonymous user (for the visitor of the site).
    So my question: why is it not in the permission list of the asp(x) pages?
    Where and when does it act?


    Thanks for explanation
    Bart
     
    Bart, Mar 22, 2007
    #1
    1. Advertising

  2. On Mar 22, 1:19 pm, "Bart" <> wrote:
    > Hi,
    >
    > i have an asp.net webapplication using Anonymous Authentification
    > (IUSR_servername) in IIS.
    > Account ASPNET is used for the aspx files.
    > There are also old asp classic pages which run without problem.
    >
    > When looking at the permissions, all pages (aspx and asp) have account
    > ASPNET set to Read and the database directory set to Read/Write.
    >
    > Nowhere i can see the account IUSR_servername; I thought account
    > IUSR_servername acts as anonymous user (for the visitor of the site).
    > So my question: why is it not in the permission list of the asp(x) pages?
    > Where and when does it act?
    >
    > Thanks for explanation
    > Bart


    Bart,
    What other users have permissions? If you post, we can make
    recommendations on locking them down.
     
    Will Platnick, Mar 23, 2007
    #2
    1. Advertising

  3. Bart

    Bart Guest

    Nothing special:
    All users: read
    ASPNET: read
    ADministrators: full

    "Will Platnick" <> schreef in bericht
    news:...
    > On Mar 22, 1:19 pm, "Bart" <> wrote:
    >> Hi,
    >>
    >> i have an asp.net webapplication using Anonymous Authentification
    >> (IUSR_servername) in IIS.
    >> Account ASPNET is used for the aspx files.
    >> There are also old asp classic pages which run without problem.
    >>
    >> When looking at the permissions, all pages (aspx and asp) have account
    >> ASPNET set to Read and the database directory set to Read/Write.
    >>
    >> Nowhere i can see the account IUSR_servername; I thought account
    >> IUSR_servername acts as anonymous user (for the visitor of the site).
    >> So my question: why is it not in the permission list of the asp(x) pages?
    >> Where and when does it act?
    >>
    >> Thanks for explanation
    >> Bart

    >
    > Bart,
    > What other users have permissions? If you post, we can make
    > recommendations on locking them down.
    >
     
    Bart, Mar 24, 2007
    #3
  4. Bart

    David Wang Guest

    On Mar 24, 2:47 am, "Bart" <> wrote:
    > Nothing special:
    > All users: read
    > ASPNET: read
    > ADministrators: full
    >
    > "Will Platnick" <> schreef in berichtnews:...
    >
    >
    >
    > > On Mar 22, 1:19 pm, "Bart" <> wrote:
    > >> Hi,

    >
    > >> i have an asp.net webapplication using Anonymous Authentification
    > >> (IUSR_servername) in IIS.
    > >> Account ASPNET is used for the aspx files.
    > >> There are also old asp classic pages which run without problem.

    >
    > >> When looking at the permissions, all pages (aspx and asp) have account
    > >> ASPNET set to Read and the database directory set to Read/Write.

    >
    > >> Nowhere i can see the account IUSR_servername; I thought account
    > >> IUSR_servername acts as anonymous user (for the visitor of the site).
    > >> So my question: why is it not in the permission list of the asp(x) pages?
    > >> Where and when does it act?

    >
    > >> Thanks for explanation
    > >> Bart

    >
    > > Bart,
    > > What other users have permissions? If you post, we can make
    > > recommendations on locking them down.- Hide quoted text -

    >
    > - Show quoted text -


    http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx


    //David
    http://w3-4u.blogspot.com
    http://blogs.msdn.com/David.Wang
    //
     
    David Wang, Mar 24, 2007
    #4
  5. Bart

    Bart Guest

    Thanks, but to be honest, it's not easy to read.
    Can you summarize and tell me:
    which account (obvisiouly not IUSR_server) needs then the right permissions
    for accessing aspx pages?


    "David Wang" <> schreef in bericht
    news:...
    > On Mar 24, 2:47 am, "Bart" <> wrote:
    >> Nothing special:
    >> All users: read
    >> ASPNET: read
    >> ADministrators: full
    >>
    >> "Will Platnick" <> schreef in
    >> berichtnews:...
    >>
    >>
    >>
    >> > On Mar 22, 1:19 pm, "Bart" <> wrote:
    >> >> Hi,

    >>
    >> >> i have an asp.net webapplication using Anonymous Authentification
    >> >> (IUSR_servername) in IIS.
    >> >> Account ASPNET is used for the aspx files.
    >> >> There are also old asp classic pages which run without problem.

    >>
    >> >> When looking at the permissions, all pages (aspx and asp) have account
    >> >> ASPNET set to Read and the database directory set to Read/Write.

    >>
    >> >> Nowhere i can see the account IUSR_servername; I thought account
    >> >> IUSR_servername acts as anonymous user (for the visitor of the site).
    >> >> So my question: why is it not in the permission list of the asp(x)
    >> >> pages?
    >> >> Where and when does it act?

    >>
    >> >> Thanks for explanation
    >> >> Bart

    >>
    >> > Bart,
    >> > What other users have permissions? If you post, we can make
    >> > recommendations on locking them down.- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    > http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx
    >
    >
    > //David
    > http://w3-4u.blogspot.com
    > http://blogs.msdn.com/David.Wang
    > //
    >
     
    Bart, Mar 24, 2007
    #5
  6. the account your application runs under.

    IIS5 default: ASPNET
    IIS6 default: NETWORK SERVICE


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Thanks, but to be honest, it's not easy to read.
    > Can you summarize and tell me:
    > which account (obvisiouly not IUSR_server) needs then the right
    > permissions
    > for accessing aspx pages?
    > "David Wang" <> schreef in bericht
    > news:...
    >
    >> On Mar 24, 2:47 am, "Bart" <> wrote:
    >>
    >>> Nothing special:
    >>> All users: read
    >>> ASPNET: read
    >>> ADministrators: full
    >>> "Will Platnick" <> schreef in
    >>> berichtnews:...
    >>>
    >>>> On Mar 22, 1:19 pm, "Bart" <> wrote:
    >>>>
    >>>>> Hi,
    >>>>>
    >>>>> i have an asp.net webapplication using Anonymous Authentification
    >>>>> (IUSR_servername) in IIS.
    >>>>> Account ASPNET is used for the aspx files.
    >>>>> There are also old asp classic pages which run without problem.
    >>>>> When looking at the permissions, all pages (aspx and asp) have
    >>>>> account ASPNET set to Read and the database directory set to
    >>>>> Read/Write.
    >>>>>
    >>>>> Nowhere i can see the account IUSR_servername; I thought account
    >>>>> IUSR_servername acts as anonymous user (for the visitor of the
    >>>>> site).
    >>>>> So my question: why is it not in the permission list of the asp(x)
    >>>>> pages?
    >>>>> Where and when does it act?
    >>>>> Thanks for explanation
    >>>>> Bart
    >>>> Bart,
    >>>> What other users have permissions? If you post, we can make
    >>>> recommendations on locking them down.- Hide quoted text -
    >>> - Show quoted text -
    >>>

    >> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity
    >> _to_Run_Code_Part_2.aspx
    >>
    >> //David
    >> http://w3-4u.blogspot.com
    >> http://blogs.msdn.com/David.Wang
    >> //
     
    Dominick Baier, Mar 24, 2007
    #6
  7. Bart

    Bart Guest

    Thanks.
    And, if you don't mind, for asp classic pages?

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in
    bericht news:...
    > the account your application runs under.
    >
    > IIS5 default: ASPNET
    > IIS6 default: NETWORK SERVICE
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Thanks, but to be honest, it's not easy to read.
    >> Can you summarize and tell me:
    >> which account (obvisiouly not IUSR_server) needs then the right
    >> permissions
    >> for accessing aspx pages?
    >> "David Wang" <> schreef in bericht
    >> news:...
    >>
    >>> On Mar 24, 2:47 am, "Bart" <> wrote:
    >>>
    >>>> Nothing special:
    >>>> All users: read
    >>>> ASPNET: read
    >>>> ADministrators: full
    >>>> "Will Platnick" <> schreef in
    >>>> berichtnews:...
    >>>>
    >>>>> On Mar 22, 1:19 pm, "Bart" <> wrote:
    >>>>>
    >>>>>> Hi,
    >>>>>>
    >>>>>> i have an asp.net webapplication using Anonymous Authentification
    >>>>>> (IUSR_servername) in IIS.
    >>>>>> Account ASPNET is used for the aspx files.
    >>>>>> There are also old asp classic pages which run without problem.
    >>>>>> When looking at the permissions, all pages (aspx and asp) have
    >>>>>> account ASPNET set to Read and the database directory set to
    >>>>>> Read/Write.
    >>>>>>
    >>>>>> Nowhere i can see the account IUSR_servername; I thought account
    >>>>>> IUSR_servername acts as anonymous user (for the visitor of the
    >>>>>> site).
    >>>>>> So my question: why is it not in the permission list of the asp(x)
    >>>>>> pages?
    >>>>>> Where and when does it act?
    >>>>>> Thanks for explanation
    >>>>>> Bart
    >>>>> Bart,
    >>>>> What other users have permissions? If you post, we can make
    >>>>> recommendations on locking them down.- Hide quoted text -
    >>>> - Show quoted text -
    >>>>
    >>> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity
    >>> _to_Run_Code_Part_2.aspx
    >>>
    >>> //David
    >>> http://w3-4u.blogspot.com
    >>> http://blogs.msdn.com/David.Wang
    >>> //

    >
    >
     
    Bart, Mar 24, 2007
    #7
  8. On Mar 24, 10:06 am, "Bart" <> wrote:
    > Thanks.
    > And, if you don't mind, for asp classic pages?
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in
    > berichtnews:...
    >
    > > the account your application runs under.

    >
    > > IIS5 default: ASPNET
    > > IIS6 default: NETWORK SERVICE

    >
    > > -----
    > > Dominick Baier (http://www.leastprivilege.com)

    >
    > > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > > (http://www.microsoft.com/mspress/books/9989.asp)

    >
    > >> Thanks, but to be honest, it's not easy to read.
    > >> Can you summarize and tell me:
    > >> which account (obvisiouly not IUSR_server) needs then the right
    > >> permissions
    > >> for accessing aspx pages?
    > >> "David Wang" <> schreef in bericht
    > >>news:...

    >
    > >>> On Mar 24, 2:47 am, "Bart" <> wrote:

    >
    > >>>> Nothing special:
    > >>>> All users: read
    > >>>> ASPNET: read
    > >>>> ADministrators: full
    > >>>> "Will Platnick" <> schreef in
    > >>>> berichtnews:...

    >
    > >>>>> On Mar 22, 1:19 pm, "Bart" <> wrote:

    >
    > >>>>>> Hi,

    >
    > >>>>>> i have an asp.net webapplication using Anonymous Authentification
    > >>>>>> (IUSR_servername) in IIS.
    > >>>>>> Account ASPNET is used for the aspx files.
    > >>>>>> There are also old asp classic pages which run without problem.
    > >>>>>> When looking at the permissions, all pages (aspx and asp) have
    > >>>>>> account ASPNET set to Read and the database directory set to
    > >>>>>> Read/Write.

    >
    > >>>>>> Nowhere i can see the account IUSR_servername; I thought account
    > >>>>>> IUSR_servername acts as anonymous user (for the visitor of the
    > >>>>>> site).
    > >>>>>> So my question: why is it not in the permission list of the asp(x)
    > >>>>>> pages?
    > >>>>>> Where and when does it act?
    > >>>>>> Thanks for explanation
    > >>>>>> Bart
    > >>>>> Bart,
    > >>>>> What other users have permissions? If you post, we can make
    > >>>>> recommendations on locking them down.- Hide quoted text -
    > >>>> - Show quoted text -

    >
    > >>>http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity
    > >>> _to_Run_Code_Part_2.aspx

    >
    > >>> //David
    > >>>http://w3-4u.blogspot.com
    > >>>http://blogs.msdn.com/David.Wang
    > >>> //


    Bart,
    ASP pages run as the IUSR, but IUSR user is probably in "all users"
    group (did you mean Everyone by any chance), which is why it is
    executing. Definitely a security risk. When I setup sites, I copy
    the existing permissions on the root, and then set Administrators and
    System as full, then go assign iusr or .net user permissions
    depending...
     
    Will Platnick, Mar 24, 2007
    #8
  9. Bart

    Bart Guest

    Thanks for explanation...

    And last point...
    if the Windows Integrated Authentification is used and not Anonymous, is
    then the account of the user himelf used?


    "Will Platnick" <> schreef in bericht
    news:...
    > On Mar 24, 10:06 am, "Bart" <> wrote:
    >> Thanks.
    >> And, if you don't mind, for asp classic pages?
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef
    >> in
    >> berichtnews:...
    >>
    >> > the account your application runs under.

    >>
    >> > IIS5 default: ASPNET
    >> > IIS6 default: NETWORK SERVICE

    >>
    >> > -----
    >> > Dominick Baier (http://www.leastprivilege.com)

    >>
    >> > Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> > (http://www.microsoft.com/mspress/books/9989.asp)

    >>
    >> >> Thanks, but to be honest, it's not easy to read.
    >> >> Can you summarize and tell me:
    >> >> which account (obvisiouly not IUSR_server) needs then the right
    >> >> permissions
    >> >> for accessing aspx pages?
    >> >> "David Wang" <> schreef in bericht
    >> >>news:...

    >>
    >> >>> On Mar 24, 2:47 am, "Bart" <> wrote:

    >>
    >> >>>> Nothing special:
    >> >>>> All users: read
    >> >>>> ASPNET: read
    >> >>>> ADministrators: full
    >> >>>> "Will Platnick" <> schreef in
    >> >>>> berichtnews:...

    >>
    >> >>>>> On Mar 22, 1:19 pm, "Bart" <> wrote:

    >>
    >> >>>>>> Hi,

    >>
    >> >>>>>> i have an asp.net webapplication using Anonymous Authentification
    >> >>>>>> (IUSR_servername) in IIS.
    >> >>>>>> Account ASPNET is used for the aspx files.
    >> >>>>>> There are also old asp classic pages which run without problem.
    >> >>>>>> When looking at the permissions, all pages (aspx and asp) have
    >> >>>>>> account ASPNET set to Read and the database directory set to
    >> >>>>>> Read/Write.

    >>
    >> >>>>>> Nowhere i can see the account IUSR_servername; I thought account
    >> >>>>>> IUSR_servername acts as anonymous user (for the visitor of the
    >> >>>>>> site).
    >> >>>>>> So my question: why is it not in the permission list of the asp(x)
    >> >>>>>> pages?
    >> >>>>>> Where and when does it act?
    >> >>>>>> Thanks for explanation
    >> >>>>>> Bart
    >> >>>>> Bart,
    >> >>>>> What other users have permissions? If you post, we can make
    >> >>>>> recommendations on locking them down.- Hide quoted text -
    >> >>>> - Show quoted text -

    >>
    >> >>>http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity
    >> >>> _to_Run_Code_Part_2.aspx

    >>
    >> >>> //David
    >> >>>http://w3-4u.blogspot.com
    >> >>>http://blogs.msdn.com/David.Wang
    >> >>> //

    >
    > Bart,
    > ASP pages run as the IUSR, but IUSR user is probably in "all users"
    > group (did you mean Everyone by any chance), which is why it is
    > executing. Definitely a security risk. When I setup sites, I copy
    > the existing permissions on the root, and then set Administrators and
    > System as full, then go assign iusr or .net user permissions
    > depending...
    >
     
    Bart, Mar 24, 2007
    #9
  10. for ASP yes

    for ASP.NET (by default) no
    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Thanks for explanation...
    >
    > And last point...
    > if the Windows Integrated Authentification is used and not Anonymous,
    > is
    > then the account of the user himelf used?
    > "Will Platnick" <> schreef in bericht
    > news:...
    >
    >> On Mar 24, 10:06 am, "Bart" <> wrote:
    >>
    >>> Thanks.
    >>> And, if you don't mind, for asp classic pages?
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>> schreef
    >>> in
    >>> berichtnews:...
    >>>> the account your application runs under.
    >>>>
    >>>> IIS5 default: ASPNET
    >>>> IIS6 default: NETWORK SERVICE
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>
    >>>>> Thanks, but to be honest, it's not easy to read.
    >>>>> Can you summarize and tell me:
    >>>>> which account (obvisiouly not IUSR_server) needs then the right
    >>>>> permissions
    >>>>> for accessing aspx pages?
    >>>>> "David Wang" <> schreef in bericht
    >>>>> news:...
    >>>>>> On Mar 24, 2:47 am, "Bart" <> wrote:
    >>>>>>
    >>>>>>> Nothing special:
    >>>>>>> All users: read
    >>>>>>> ASPNET: read
    >>>>>>> ADministrators: full
    >>>>>>> "Will Platnick" <> schreef in
    >>>>>>> berichtnews:
    >>>>>>> ...
    >>>>>>>> On Mar 22, 1:19 pm, "Bart" <> wrote:
    >>>>>>>>
    >>>>>>>>> Hi,
    >>>>>>>>>
    >>>>>>>>> i have an asp.net webapplication using Anonymous
    >>>>>>>>> Authentification
    >>>>>>>>> (IUSR_servername) in IIS.
    >>>>>>>>> Account ASPNET is used for the aspx files.
    >>>>>>>>> There are also old asp classic pages which run without
    >>>>>>>>> problem.
    >>>>>>>>> When looking at the permissions, all pages (aspx and asp) have
    >>>>>>>>> account ASPNET set to Read and the database directory set to
    >>>>>>>>> Read/Write.
    >>>>>>>>> Nowhere i can see the account IUSR_servername; I thought
    >>>>>>>>> account
    >>>>>>>>> IUSR_servername acts as anonymous user (for the visitor of the
    >>>>>>>>> site).
    >>>>>>>>> So my question: why is it not in the permission list of the
    >>>>>>>>> asp(x)
    >>>>>>>>> pages?
    >>>>>>>>> Where and when does it act?
    >>>>>>>>> Thanks for explanation
    >>>>>>>>> Bart
    >>>>>>>> Bart,
    >>>>>>>> What other users have permissions? If you post, we can make
    >>>>>>>> recommendations on locking them down.- Hide quoted text -
    >>>>>>> - Show quoted text -
    >>>>>>>
    >>>>>> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Iden
    >>>>>> tity _to_Run_Code_Part_2.aspx
    >>>>>>
    >>>>>> //David
    >>>>>> http://w3-4u.blogspot.com
    >>>>>> http://blogs.msdn.com/David.Wang
    >>>>>> //

    >> Bart,
    >> ASP pages run as the IUSR, but IUSR user is probably in "all users"
    >> group (did you mean Everyone by any chance), which is why it is
    >> executing. Definitely a security risk. When I setup sites, I copy
    >> the existing permissions on the root, and then set Administrators and
    >> System as full, then go assign iusr or .net user permissions
    >> depending...
     
    Dominick Baier, Mar 24, 2007
    #10
  11. Bart

    Bart Guest

    Thanks

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in
    bericht news:...
    > for ASP yes
    >
    > for ASP.NET (by default) no
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Thanks for explanation...
    >>
    >> And last point...
    >> if the Windows Integrated Authentification is used and not Anonymous,
    >> is
    >> then the account of the user himelf used?
    >> "Will Platnick" <> schreef in bericht
    >> news:...
    >>
    >>> On Mar 24, 10:06 am, "Bart" <> wrote:
    >>>
    >>>> Thanks.
    >>>> And, if you don't mind, for asp classic pages?
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>> schreef
    >>>> in
    >>>> berichtnews:...
    >>>>> the account your application runs under.
    >>>>>
    >>>>> IIS5 default: ASPNET
    >>>>> IIS6 default: NETWORK SERVICE
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>
    >>>>>> Thanks, but to be honest, it's not easy to read.
    >>>>>> Can you summarize and tell me:
    >>>>>> which account (obvisiouly not IUSR_server) needs then the right
    >>>>>> permissions
    >>>>>> for accessing aspx pages?
    >>>>>> "David Wang" <> schreef in bericht
    >>>>>> news:...
    >>>>>>> On Mar 24, 2:47 am, "Bart" <> wrote:
    >>>>>>>
    >>>>>>>> Nothing special:
    >>>>>>>> All users: read
    >>>>>>>> ASPNET: read
    >>>>>>>> ADministrators: full
    >>>>>>>> "Will Platnick" <> schreef in
    >>>>>>>> berichtnews:
    >>>>>>>> ...
    >>>>>>>>> On Mar 22, 1:19 pm, "Bart" <> wrote:
    >>>>>>>>>
    >>>>>>>>>> Hi,
    >>>>>>>>>>
    >>>>>>>>>> i have an asp.net webapplication using Anonymous
    >>>>>>>>>> Authentification
    >>>>>>>>>> (IUSR_servername) in IIS.
    >>>>>>>>>> Account ASPNET is used for the aspx files.
    >>>>>>>>>> There are also old asp classic pages which run without
    >>>>>>>>>> problem.
    >>>>>>>>>> When looking at the permissions, all pages (aspx and asp) have
    >>>>>>>>>> account ASPNET set to Read and the database directory set to
    >>>>>>>>>> Read/Write.
    >>>>>>>>>> Nowhere i can see the account IUSR_servername; I thought
    >>>>>>>>>> account
    >>>>>>>>>> IUSR_servername acts as anonymous user (for the visitor of the
    >>>>>>>>>> site).
    >>>>>>>>>> So my question: why is it not in the permission list of the
    >>>>>>>>>> asp(x)
    >>>>>>>>>> pages?
    >>>>>>>>>> Where and when does it act?
    >>>>>>>>>> Thanks for explanation
    >>>>>>>>>> Bart
    >>>>>>>>> Bart,
    >>>>>>>>> What other users have permissions? If you post, we can make
    >>>>>>>>> recommendations on locking them down.- Hide quoted text -
    >>>>>>>> - Show quoted text -
    >>>>>>>>
    >>>>>>> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Iden
    >>>>>>> tity _to_Run_Code_Part_2.aspx
    >>>>>>>
    >>>>>>> //David
    >>>>>>> http://w3-4u.blogspot.com
    >>>>>>> http://blogs.msdn.com/David.Wang
    >>>>>>> //
    >>> Bart,
    >>> ASP pages run as the IUSR, but IUSR user is probably in "all users"
    >>> group (did you mean Everyone by any chance), which is why it is
    >>> executing. Definitely a security risk. When I setup sites, I copy
    >>> the existing permissions on the root, and then set Administrators and
    >>> System as full, then go assign iusr or .net user permissions
    >>> depending...

    >
    >
     
    Bart, Mar 24, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?VHUtVGhhY2g=?=

    RE: Basic Question ASPNET Account

    =?Utf-8?B?VHUtVGhhY2g=?=, Feb 10, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    324
    =?Utf-8?B?aG9uZw==?=
    Feb 11, 2004
  2. =?Utf-8?B?U2NvdHQgUm9zYQ==?=

    Question on connection to SQL Sever using Domain Account

    =?Utf-8?B?U2NvdHQgUm9zYQ==?=, Aug 18, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    370
    =?Utf-8?B?U2NvdHQgUm9zYQ==?=
    Aug 18, 2005
  3. nilapenn
    Replies:
    3
    Views:
    671
    Joe Kaplan \(MVP - ADSI\)
    Feb 14, 2005
  4. Replies:
    4
    Views:
    666
    Paul Clement
    Sep 15, 2005
  5. Dan

    question about IUSR_server and security

    Dan, Feb 13, 2007, in forum: ASP .Net Security
    Replies:
    4
    Views:
    223
Loading...

Share This Page