Who is may ASP.NET app supposed to run as?

Discussion in 'ASP .Net Security' started by David Thielen, Dec 30, 2006.

  1. Hi;

    My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
    the correct user for strictest security? I thought best was "NETWORK SERVICE"
    or something like that.

    And do I need to set this when installing the app? I don't think I am
    specifying the user to run under anywhere.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
    David Thielen, Dec 30, 2006
    #1
    1. Advertising

  2. Weirder and weirder - now it shows it running as me. Maybe we have something
    wrong in our installer but it looks like we just create the web application
    and never set who it runs as.

    we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis -pef
    connection_string our_app_root_directory.

    Any ideas?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "David Thielen" wrote:

    > Hi;
    >
    > My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
    > the correct user for strictest security? I thought best was "NETWORK SERVICE"
    > or something like that.
    >
    > And do I need to set this when installing the app? I don't think I am
    > specifying the user to run under anywhere.
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
    David Thielen, Dec 30, 2006
    #2
    1. Advertising

  3. oops - and also calling:

    aspnet_regiis -s W3SVC/1/ROOT/WindwardPortal

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "David Thielen" wrote:

    > Weirder and weirder - now it shows it running as me. Maybe we have something
    > wrong in our installer but it looks like we just create the web application
    > and never set who it runs as.
    >
    > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis -pef
    > connection_string our_app_root_directory.
    >
    > Any ideas?
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
    >
    >
    > "David Thielen" wrote:
    >
    > > Hi;
    > >
    > > My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
    > > the correct user for strictest security? I thought best was "NETWORK SERVICE"
    > > or something like that.
    > >
    > > And do I need to set this when installing the app? I don't think I am
    > > specifying the user to run under anywhere.
    > >
    > > --
    > > thanks - dave
    > > david_at_windward_dot_net
    > > http://www.windwardreports.com
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > >
    David Thielen, Dec 30, 2006
    #3
  4. you have client impersonation enabled - this will give you the behavior you
    see.

    W2K has no NETWORK SERVICE account - this was introduced in XP.

    On W2k ASP.NET apps run by default as ASPNET.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Weirder and weirder - now it shows it running as me. Maybe we have
    > something wrong in our installer but it looks like we just create the
    > web application and never set who it runs as.
    >
    > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
    > -pef connection_string our_app_root_directory.
    >
    > Any ideas?
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    > "David Thielen" wrote:
    >
    >> Hi;
    >>
    >> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
    >> this the correct user for strictest security? I thought best was
    >> "NETWORK SERVICE" or something like that.
    >>
    >> And do I need to set this when installing the app? I don't think I am
    >> specifying the user to run under anywhere.
    >>
    >> --
    >> thanks - dave
    >> david_at_windward_dot_net
    >> http://www.windwardreports.com
    >> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>
    Dominick Baier, Dec 31, 2006
    #4
  5. Ok, found the impersonation and set it to false (no idea how that was ever
    true).

    I am on Windows 2003, not W2K so NETWORK SERVICE is correct then - yes? And
    for WinXP?

    For W2K the user is ASPNET - is that user used for anything in Windows 2003
    or is it just around because some apps assume it exists from W2K?

    We need to set permissions for our logging directory for the ASP.NET app so
    is it ok if we grant permissions to NETWORK SERVICE for Windows 2003 & XP,
    and to ASPNET for W2K? SHould that cover any standard configuration?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Dominick Baier" wrote:

    > you have client impersonation enabled - this will give you the behavior you
    > see.
    >
    > W2K has no NETWORK SERVICE account - this was introduced in XP.
    >
    > On W2k ASP.NET apps run by default as ASPNET.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > > Weirder and weirder - now it shows it running as me. Maybe we have
    > > something wrong in our installer but it looks like we just create the
    > > web application and never set who it runs as.
    > >
    > > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
    > > -pef connection_string our_app_root_directory.
    > >
    > > Any ideas?
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > > "David Thielen" wrote:
    > >
    > >> Hi;
    > >>
    > >> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
    > >> this the correct user for strictest security? I thought best was
    > >> "NETWORK SERVICE" or something like that.
    > >>
    > >> And do I need to set this when installing the app? I don't think I am
    > >> specifying the user to run under anywhere.
    > >>
    > >> --
    > >> thanks - dave
    > >> david_at_windward_dot_net
    > >> http://www.windwardreports.com
    > >> Cubicle Wars - http://www.windwardreports.com/film.htm
    > >>

    >
    >
    >
    David Thielen, Dec 31, 2006
    #5
  6. Sorry - and what about Vista - what user is default there?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "David Thielen" wrote:

    > Ok, found the impersonation and set it to false (no idea how that was ever
    > true).
    >
    > I am on Windows 2003, not W2K so NETWORK SERVICE is correct then - yes? And
    > for WinXP?
    >
    > For W2K the user is ASPNET - is that user used for anything in Windows 2003
    > or is it just around because some apps assume it exists from W2K?
    >
    > We need to set permissions for our logging directory for the ASP.NET app so
    > is it ok if we grant permissions to NETWORK SERVICE for Windows 2003 & XP,
    > and to ASPNET for W2K? SHould that cover any standard configuration?
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
    >
    >
    > "Dominick Baier" wrote:
    >
    > > you have client impersonation enabled - this will give you the behavior you
    > > see.
    > >
    > > W2K has no NETWORK SERVICE account - this was introduced in XP.
    > >
    > > On W2k ASP.NET apps run by default as ASPNET.
    > >
    > >
    > > -----
    > > Dominick Baier (http://www.leastprivilege.com)
    > >
    > > > Weirder and weirder - now it shows it running as me. Maybe we have
    > > > something wrong in our installer but it looks like we just create the
    > > > web application and never set who it runs as.
    > > >
    > > > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
    > > > -pef connection_string our_app_root_directory.
    > > >
    > > > Any ideas?
    > > >
    > > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > > >
    > > > "David Thielen" wrote:
    > > >
    > > >> Hi;
    > > >>
    > > >> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
    > > >> this the correct user for strictest security? I thought best was
    > > >> "NETWORK SERVICE" or something like that.
    > > >>
    > > >> And do I need to set this when installing the app? I don't think I am
    > > >> specifying the user to run under anywhere.
    > > >>
    > > >> --
    > > >> thanks - dave
    > > >> david_at_windward_dot_net
    > > >> http://www.windwardreports.com
    > > >> Cubicle Wars - http://www.windwardreports.com/film.htm
    > > >>

    > >
    > >
    > >
    David Thielen, Dec 31, 2006
    #6
  7. Default Accounts:

    II5.x (W2K/XP) : ASPNET
    IIS6/7 (W2K3 / Vista) : NETWORK SERVICE


    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Sorry - and what about Vista - what user is default there?
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    > "David Thielen" wrote:
    >
    >> Ok, found the impersonation and set it to false (no idea how that was
    >> ever true).
    >>
    >> I am on Windows 2003, not W2K so NETWORK SERVICE is correct then -
    >> yes? And for WinXP?
    >>
    >> For W2K the user is ASPNET - is that user used for anything in
    >> Windows 2003 or is it just around because some apps assume it exists
    >> from W2K?
    >>
    >> We need to set permissions for our logging directory for the ASP.NET
    >> app so is it ok if we grant permissions to NETWORK SERVICE for
    >> Windows 2003 & XP, and to ASPNET for W2K? SHould that cover any
    >> standard configuration?
    >>
    >> --
    >> thanks - dave
    >> david_at_windward_dot_net
    >> http://www.windwardreports.com
    >> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>
    >> "Dominick Baier" wrote:
    >>
    >>> you have client impersonation enabled - this will give you the
    >>> behavior you see.
    >>>
    >>> W2K has no NETWORK SERVICE account - this was introduced in XP.
    >>>
    >>> On W2k ASP.NET apps run by default as ASPNET.
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Weirder and weirder - now it shows it running as me. Maybe we have
    >>>> something wrong in our installer but it looks like we just create
    >>>> the web application and never set who it runs as.
    >>>>
    >>>> we are calling aspnet_regiis -ga "NETWORK SERVICE" and
    >>>> aspnet_regiis -pef connection_string our_app_root_directory.
    >>>>
    >>>> Any ideas?
    >>>>
    >>>> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>>>
    >>>> "David Thielen" wrote:
    >>>>
    >>>>> Hi;
    >>>>>
    >>>>> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME.
    >>>>> Is this the correct user for strictest security? I thought best
    >>>>> was "NETWORK SERVICE" or something like that.
    >>>>>
    >>>>> And do I need to set this when installing the app? I don't think I
    >>>>> am specifying the user to run under anywhere.
    >>>>>
    >>>>> --
    >>>>> thanks - dave
    >>>>> david_at_windward_dot_net
    >>>>> http://www.windwardreports.com
    >>>>> Cubicle Wars - http://www.windwardreports.com/film.htm
    Dominick Baier, Dec 31, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sam Iam
    Replies:
    0
    Views:
    444
    Sam Iam
    Jan 31, 2004
  2. Rahmi Acar
    Replies:
    5
    Views:
    421
    Karl Heinz Buchegger
    Jul 28, 2003
  3. Aahz
    Replies:
    0
    Views:
    386
  4. kingchuffalo
    Replies:
    0
    Views:
    865
    kingchuffalo
    Sep 21, 2008
  5. Knute Johnson
    Replies:
    0
    Views:
    1,145
    Knute Johnson
    Nov 25, 2008
Loading...

Share This Page