Web Site Configuration for remote users

Discussion in 'ASP .Net Security' started by Mikey Baby, Mar 21, 2007.

  1. Mikey Baby

    Mikey Baby Guest

    Greetings all

    I've just re-engineered a small system to use the Roles/Membership and
    ASP.Net Configuraton Tool.

    I've configured it for 'From the Internet' access.

    However, I can access the Config Tool by just running it. I don't have to
    login.

    I hunted around and found this:
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\web.config

    So I altered it to Forms authentication and did this:
    <authorization>
    <deny users="*"/>
    <allow roles="Manager" />
    </authorization>

    This is slight progress. I can't administer the site anymore - it's looking
    for login.aspx. But this doesn't exist in the folder.

    I know this is probably all because I'm working locally, but I'd like to be
    sure before I roll this out (I don't have a test environment).

    Many thanks

    M.

    MCDBA : MCSD
    Mikey Baby, Mar 21, 2007
    #1
    1. Advertising

  2. So what are you really trying to achieve?

    use the tool to remote administer the site?
    or prevent remote administration?


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Greetings all
    >
    > I've just re-engineered a small system to use the Roles/Membership and
    > ASP.Net Configuraton Tool.
    >
    > I've configured it for 'From the Internet' access.
    >
    > However, I can access the Config Tool by just running it. I don't have
    > to login.
    >
    > I hunted around and found this:
    > C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\web
    > .config
    > So I altered it to Forms authentication and did this:
    > <authorization>
    > <deny users="*"/>
    > <allow roles="Manager" />
    > </authorization>
    > This is slight progress. I can't administer the site anymore - it's
    > looking for login.aspx. But this doesn't exist in the folder.
    >
    > I know this is probably all because I'm working locally, but I'd like
    > to be sure before I roll this out (I don't have a test environment).
    >
    > Many thanks
    >
    > M.
    >
    > MCDBA : MCSD
    >
    Dominick Baier, Mar 21, 2007
    #2
    1. Advertising

  3. Mikey Baby

    Mikey Baby Guest

    > use the tool to remote administer the site?

    However, I'm possibly a little confused.

    Is the ASP.Net Configuration Tool designed for live use? Or is it just
    something for VS2005 to work against?

    My site uses Accounts, Roles etc and I'd like to rip out my custom code and
    use this tool instead. I want my users to create their own accounts and then
    I will add them to the Role that allows access to the PaySite bits.

    So, I guess I want the following:

    1. A proper method to distribute this to my provider (a .net hosting company)
    2. Prevent my users from using it through Forms Authentication

    I'm starting to suspect that this might not be possible. For example; it
    uses the Machine.config file which I won't have access to as I'm using a
    shared host.

    All the info/articles I can find are about standard usage of this Tool
    (Providers, App. Settings etc). Nothing about actually rolling this out.

    Then again, if it's not designed for live use, what's the point?

    Also, on a brand new WS2003 machine, the Config site is there, but still no
    login.aspx page. I think this Tool only works with Windows Authentication?

    M.

    MCDBA : MCSD


    "Dominick Baier" wrote:
    Mikey Baby, Mar 21, 2007
    #3
  4. in theory it works remotely - but if you inspect the source, there is an
    explicit check for local connection...


    so it was designed to be used local only - every other scenario is not officially
    supported (though it will work - but requires thorough testing)

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    >> use the tool to remote administer the site?
    >>

    > However, I'm possibly a little confused.
    >
    > Is the ASP.Net Configuration Tool designed for live use? Or is it just
    > something for VS2005 to work against?
    >
    > My site uses Accounts, Roles etc and I'd like to rip out my custom
    > code and use this tool instead. I want my users to create their own
    > accounts and then I will add them to the Role that allows access to
    > the PaySite bits.
    >
    > So, I guess I want the following:
    >
    > 1. A proper method to distribute this to my provider (a .net hosting
    > company) 2. Prevent my users from using it through Forms
    > Authentication
    >
    > I'm starting to suspect that this might not be possible. For example;
    > it uses the Machine.config file which I won't have access to as I'm
    > using a shared host.
    >
    > All the info/articles I can find are about standard usage of this Tool
    > (Providers, App. Settings etc). Nothing about actually rolling this
    > out.
    >
    > Then again, if it's not designed for live use, what's the point?
    >
    > Also, on a brand new WS2003 machine, the Config site is there, but
    > still no login.aspx page. I think this Tool only works with Windows
    > Authentication?
    >
    > M.
    >
    > MCDBA : MCSD
    >
    > "Dominick Baier" wrote:
    >
    Dominick Baier, Mar 21, 2007
    #4
  5. Mikey Baby

    Mikey Baby Guest

    Well, I've almost got it working. Added a login page, various web.config
    changes, file system permissions etc. Just dealing with the LocalOnly
    hardcode at the moment.

    However, I'm struggling to understand why this was built at all.

    It assumes that it's only being used on the developers desktop -or- we have
    Remote Desktop connections to the Server. Which, if we did, why not just
    write a Winforms app? Or extend the ASP.Net Config Form in IIS.

    My App is based on multiple, low cost, hosts. I'm lucky if I get a single
    SQL Express DB. Forget about Remote Desktop access or IIS administration.

    Hopefully, I can contribute an Article somewhere explaining how to get this
    running remotely as I equally can't understand why this aspect of the tool
    isn't discussed in other forums. Does no-one use this live?

    Regards and thanks for the input.

    M.

    MCDBA : MCSD
    Mikey Baby, Mar 22, 2007
    #5
  6. Well - i never came across someone who uses it live - and it was never designed
    for that scenario...

    It is for local only stuff...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Well, I've almost got it working. Added a login page, various
    > web.config changes, file system permissions etc. Just dealing with the
    > LocalOnly hardcode at the moment.
    >
    > However, I'm struggling to understand why this was built at all.
    >
    > It assumes that it's only being used on the developers desktop -or- we
    > have Remote Desktop connections to the Server. Which, if we did, why
    > not just write a Winforms app? Or extend the ASP.Net Config Form in
    > IIS.
    >
    > My App is based on multiple, low cost, hosts. I'm lucky if I get a
    > single SQL Express DB. Forget about Remote Desktop access or IIS
    > administration.
    >
    > Hopefully, I can contribute an Article somewhere explaining how to get
    > this running remotely as I equally can't understand why this aspect of
    > the tool isn't discussed in other forums. Does no-one use this live?
    >
    > Regards and thanks for the input.
    >
    > M.
    >
    > MCDBA : MCSD
    >
    Dominick Baier, Mar 22, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    795
  2. BradM
    Replies:
    2
    Views:
    687
    BradM
    May 30, 2007
  3. bitshift
    Replies:
    1
    Views:
    524
    bruce barker
    Jun 22, 2007
  4. Replies:
    0
    Views:
    500
  5. jdn

    Creating users in the web configuration tool

    jdn, Jan 8, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    109
Loading...

Share This Page