Clarification: IUSR access to the ASP.NET temp folder

P

pj_servadmin

Non-DC, Win 2k3 IIS 6.0 configured accounts. Anonymous User:
domain\IUSR_<appName>, Application Pool User: domain\<appPoolName>

I have used NTFS security auditing to confirm that the domain\IUSR_<appName>
account is attempting access to the \Temporary ASP.NET Files\<appName>
folder, as shown by the event listed at the end of this post. Resulting error
message shown at the end of this post as well.

In a default configuration, Network Service would have been the identity
that ran the application pool and IUSR_<machineName> would have allowed
anonymous access. That folder has NTFS Full access for Network Service, Local
Service, SYSTEM, IIS_WPG, etc. Notably, IUSR_* is absent, but retains NTFS
Read rights by virtue of being part of Domain Users group, which is part of
Local Users group.

So the questions are:
Is that correct that a default configuration would have Network Service
accessing the \Temporary ASP.NET Files\ directory? (not IUSR_<machineName>,
right?)

What are the security implications of giving the IUSR_<appName> account NTFS
full access to the \Temporary ASP.NET Files\ directory?

What is the \Temporary ASP.NET Files\ directory actually used for?


*************************
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/13/2005
Time: 9:58:07 AM
User: DEPT\IUSR_<appName>
Computer: CARPUS
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>
Handle ID: -
Operation ID: {0,12699212}
Process ID: 2016
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: <appPoolName>
Primary Domain: DEPT
Primary Logon ID: (0x0,0x985392)
Client User Name: IUSR_<appName>
Client Domain: DEPT
Client Logon ID: (0x0,0xBF76A2)
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100001


***************************
Server Error in '/<appName>' Application.
--------------------------------------------------------------------------------

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>\83d3a3b4\56768e79" is denied.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.

ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

Stack Trace:

[UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.]
System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
System.IO.Directory.InternalCreateDirectory(String fullPath, String path)
+632
System.IO.Directory.CreateDirectory(String path) +195
System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext
context) +85

System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext
context) +97

System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation()
+91
System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean
fCreateIfNotFound) +148
System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
System.Web.UI.TemplateParser.GetParserCacheItem() +88
System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String
inputFile, HttpContext context, ApplicationFileParser& parser) +171
System.Web.HttpApplicationFactory.CompileApplication(HttpContext context)
+43
System.Web.HttpApplicationFactory.Init(HttpContext context) +484
System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext
context) +170
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414
 
P

pj_servadmin

More information:
The content for the site is across a UNC share, so it appears that the
request transitions into the configured anonymous user accound
(IUSR_<appName>) to retrieve the file, and then attempts to process it, but
the dynamic compilation requires that the compiled files get stored in the
\Temporary ASP.NET Files\ folder, a folder that IUSR_<appName> has only read
rights to.

Maybe the question now is: is there a way to get the IUSR account to revert
to self (originally the application Pool UserID) automatically before
attempting compilation?

Thanks in advance!



pj_servadmin said:
Non-DC, Win 2k3 IIS 6.0 configured accounts. Anonymous User:
domain\IUSR_<appName>, Application Pool User: domain\<appPoolName>

I have used NTFS security auditing to confirm that the domain\IUSR_<appName>
account is attempting access to the \Temporary ASP.NET Files\<appName>
folder, as shown by the event listed at the end of this post. Resulting error
message shown at the end of this post as well.

In a default configuration, Network Service would have been the identity
that ran the application pool and IUSR_<machineName> would have allowed
anonymous access. That folder has NTFS Full access for Network Service, Local
Service, SYSTEM, IIS_WPG, etc. Notably, IUSR_* is absent, but retains NTFS
Read rights by virtue of being part of Domain Users group, which is part of
Local Users group.

So the questions are:
Is that correct that a default configuration would have Network Service
accessing the \Temporary ASP.NET Files\ directory? (not IUSR_<machineName>,
right?)

What are the security implications of giving the IUSR_<appName> account NTFS
full access to the \Temporary ASP.NET Files\ directory?

What is the \Temporary ASP.NET Files\ directory actually used for?


*************************
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/13/2005
Time: 9:58:07 AM
User: DEPT\IUSR_<appName>
Computer: CARPUS
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>
Handle ID: -
Operation ID: {0,12699212}
Process ID: 2016
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: <appPoolName>
Primary Domain: DEPT
Primary Logon ID: (0x0,0x985392)
Client User Name: IUSR_<appName>
Client Domain: DEPT
Client Logon ID: (0x0,0xBF76A2)
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100001


***************************
Server Error in '/<appName>' Application.
--------------------------------------------------------------------------------

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\<appName>\83d3a3b4\56768e79" is denied.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.

ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

Stack Trace:

[UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<appName>\83d3a3b4\56768e79" is denied.]
System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
System.IO.Directory.InternalCreateDirectory(String fullPath, String path)
+632
System.IO.Directory.CreateDirectory(String path) +195
System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext
context) +85

System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext
context) +97

System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation()
+91
System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean
fCreateIfNotFound) +148
System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
System.Web.UI.TemplateParser.GetParserCacheItem() +88
System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String
inputFile, HttpContext context, ApplicationFileParser& parser) +171
System.Web.HttpApplicationFactory.CompileApplication(HttpContext context)
+43
System.Web.HttpApplicationFactory.Init(HttpContext context) +484
System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext
context) +170
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,906
Latest member
SkinfixSkintag

Latest Threads

Top