Security Issues with ASP.Net

Discussion in 'ASP .Net Security' started by Sanjay Poojari, Jul 21, 2003.

  1. Hi All,

    Need some advice on some of the security issues in my ASP.Net application.
    There are certain tasks that I need to implement so need advice/guidance on
    them as well as safeguards that I should implement. The application would
    be typically running on Windows Server 2003 with IIS6 with .Net framework
    1.1

    1. My application saves its settings to the registry. I know that by
    default the Aspnet user does not have rights to edit the registry. My
    Workaround is that I changed the user in processmodel from "machine" to
    "SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to
    explicitly grant full rights to the aspnet user to the registry.

    Somehow I feel that this solution is not a good one and has the potential
    for making the web server unsafe. Any other solutions/workarounds for this
    problem?

    2. My application needs to read/write/create directories from the file
    system on the webserver. I have to explicitly grant the aspnet user full
    access to the directories in question. Any other elegant solution to this
    issue?

    Also, in Windows Server 2003, this does not work if the directory is located
    inside the "Program Files" directory. Does not work even when the aspnet
    user is added to the Administrators group. Why could this be happening?

    Any suggestions/pointers would be appreciated.

    Thanks in advance,
    Sanjay
    Sanjay Poojari, Jul 21, 2003
    #1
    1. Advertising

  2. Most executable programs you run use the local System account to run.
    ASP.Net is no different. There is no Security risk unless some hostile
    person can somehow take control of your ASP.Net app. The aspnet user account
    is more useful if you are, for example, a hosting service, and of course,
    you don't want to grant blanket access to the entire machine to all of your
    hosting clients.
    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    http://www.takempis.com
    Big things are made up of
    lots of little things.

    "Sanjay Poojari" <> wrote in message
    news:%...
    > Hi All,
    >
    > Need some advice on some of the security issues in my ASP.Net application.
    > There are certain tasks that I need to implement so need advice/guidance

    on
    > them as well as safeguards that I should implement. The application would
    > be typically running on Windows Server 2003 with IIS6 with .Net framework
    > 1.1
    >
    > 1. My application saves its settings to the registry. I know that by
    > default the Aspnet user does not have rights to edit the registry. My
    > Workaround is that I changed the user in processmodel from "machine" to
    > "SYSTEM" in the machine.config file. Also in case of 2003 Server, I have

    to
    > explicitly grant full rights to the aspnet user to the registry.
    >
    > Somehow I feel that this solution is not a good one and has the potential
    > for making the web server unsafe. Any other solutions/workarounds for

    this
    > problem?
    >
    > 2. My application needs to read/write/create directories from the file
    > system on the webserver. I have to explicitly grant the aspnet user full
    > access to the directories in question. Any other elegant solution to this
    > issue?
    >
    > Also, in Windows Server 2003, this does not work if the directory is

    located
    > inside the "Program Files" directory. Does not work even when the aspnet
    > user is added to the Administrators group. Why could this be happening?
    >
    > Any suggestions/pointers would be appreciated.
    >
    > Thanks in advance,
    > Sanjay
    >
    >
    Kevin Spencer, Jul 21, 2003
    #2
    1. Advertising

  3. Thanks Kevin!

    Sanjay

    "Kevin Spencer" <> wrote in message
    news:#...
    > Most executable programs you run use the local System account to run.
    > ASP.Net is no different. There is no Security risk unless some hostile
    Sanjay Poojari, Jul 21, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sanjay Poojari

    Security Issues with ASP.Net

    Sanjay Poojari, Jul 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    403
    Sanjay Poojari
    Jul 21, 2003
  2. =?Utf-8?B?UHJpeWE=?=

    asp.net + unmanaged dll security issues

    =?Utf-8?B?UHJpeWE=?=, Nov 1, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    2,236
    =?Utf-8?B?UHJpeWE=?=
    Nov 2, 2004
  3. kellygreer1

    ASP.NET and Security Issues with WebClient

    kellygreer1, Mar 4, 2008, in forum: ASP .Net
    Replies:
    2
    Views:
    1,946
    kellygreer1
    Mar 5, 2008
  4. Dinis Cruz
    Replies:
    0
    Views:
    176
    Dinis Cruz
    Oct 30, 2003
  5. Priya

    asp.net + unmanaged dll security issues

    Priya, Nov 1, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    102
    Priya
    Nov 1, 2004
Loading...

Share This Page