How is the ASPNET password managed?

[Ken Varn]

I notice that ASP.NET has a user that runs on its behalf (ASPNET user). I
an concerned about site security and would like it if someone can explain
the security of the ASPNET user. In particular, is the password managed
automatically in the same way as the IIS password for the anonymous user
account? If this is true, how is the password managed? Is it re-generated
every-so-often or only once at installation?

Also, I have read various articles on different ASP.NET windows forms
authentication methods. Some code examples use the Win32 LogonUser()
function for WindowsIdentity account validation. Some of these code samples
indicate that the ASPNET user must be granted "Act as Part of the Operating
System" right to do this. How much risk is there to doing this?

Basically, how secure is the ASPNET user account password?

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

 

[Cowboy \(Gregory A. Beamer\) [MVP]]

It is system created and uses a one-way algorythm. You can set the password
yourself, if you wish (machine.config file). There is also an
IUSR_ComputerName account for IIS, which you can control, if you so desire.
In most instances, it is better to let the machine control both. If the
pwd(s) are compromised, the machine is already owned by someone else.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************
Think Outside the Box!
************************************************

 

[Scott Allen]

HI Ken:

Iinline comments...

I notice that ASP.NET has a user that runs on its behalf (ASPNET user). I
an concerned about site security and would like it if someone can explain
the security of the ASPNET user. In particular, is the password managed
automatically in the same way as the IIS password for the anonymous user
account? If this is true, how is the password managed? Is it re-generated
every-so-often or only once at installation?

Local service account passwords (like for ASPNET) are managed by the
the Local Security Authority (LSA) and kept in the registry under
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. If you try to view the
HKEY_LOCAL_MACHINE\SECURITY hive with regedt32, it will appear greyed
out even if you are an admin on the machine, as only the SYSTEM
account has permissions here.

Also, I have read various articles on different ASP.NET windows forms
authentication methods. Some code examples use the Win32 LogonUser()
function for WindowsIdentity account validation. Some of these code samples
indicate that the ASPNET user must be granted "Act as Part of the Operating
System" right to do this. How much risk is there to doing this?

Act as part of operating system is a relatively high level of
priviledge usually reserved for the all powerful system account. It
allows a process to impersonate any account without authentication. MS
is trying to avoid running services as system where possible.
The good news is, you do not need to grant this priviledge on XP or
2003 machines. Hopefully this will work for you.

Basically, how secure is the ASPNET user account password?

Basically, it's only as secure as the other system account passwords
and other machine "secrets" .

HTH,

 

[Scott Allen]

User account passwords are kept as a hash, but I don't believe local
service account credentials are stored with a one way algorithm. A
service needs to remember it's password to authenticate against an
authority just like a user does. In NT 4 this was a vulnerability for
a time as the passwords were stored in plaintext (encoded, essentially
plaintext), and it was easy to find tools to dump the service account
passwords even though the registry keys were restricted to the system
account. Since NT4 the SAM et al is encrypted.