limit web application access to local directory?

[Michael Appelmans]

I'm trying to convince a web systems administrator to install ASP.NET on
his web server so I can host a dynamic departmental web site on it. Does
anyone know of a straighforward writeup of what it takes (machine.config
and NTFS file permissions) to limit an anonymous asp.net application to
a specific directory and subdirs so he doesn't have to worry about my
aspx pages wreaking havoc on his server? I am still studying the MS docs
but there are so many details and permutations.

Thanks for any help on this.

Michael

 

[richlm]

A couple of things you can do:

1. change the anonymous account for the web site through
IIS, to a new one you create just for this purpose. Then
set NTFS perms on appropriate folders.

2. change the account under which ASP.NET runs; see
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnnetsec/html/SecNetHT01.asp
Not strictly necessary in your scenario. It defaults to
the least prvilieged ASPNET local account anyway.

You might also find 'food for thought' in MS patterns &
practices book "Building Secure Microsoft ASP.NET
Applications" at:

http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

 

[Michael Appelmans]

Thanks Rich, I found what I was looking for in that patterns book you
suggested.

Specifically set the trust level in the machine.config file
<location path="sitepath" allowOverride="false">
<trust level="low" originUrl="siteUrl" />
</location>
which in turn invokes
<IPermission
class="FileIOPermission"
version="1"
Read="$AppDir$"
PathDiscovery="$AppDir$"
/>
in the web_lowtrust.config file to limit the web applications access to
the local dir and allowOverride= "false" prevents overidding the
settings in the local web.config file. The low trust level also prevents
ASP.NET from calling out to unmanaged code.

I guess this coupled with NTFS file permissions ought to do the trick.

Thanks again.

Michael