Question about dotnet server security

#1

We have a server with dotnet installed that is part of our domain. We're
using the server for web hosting. We don't want the users to be able to
access anything outside of their respective folders on the drive. Do we
need to do anything different that we would for a normal user without
dotnet? We already create a separate admin and anonymous account per web
site and set NTFS permissions accordingly. Is there anything else that
needs to happen to protect the machine from abusive dotnet users?

Thanks,
-Jeff

#2

Hi Jeff,

Thanks for posting to the newsgroup.

Run your ASP.NET web sites using a "least privileged" account, such as
ASPNET (on Windows 2000 and Windows XP) or Network Service (on Windows
Server 2003). Don't run it as SYSTEM, as this is a system-level account.

For the full scoop, you should take a look at:

* Improving Web Application Security: Threats and Countermeasures
(http://msdn.microsoft.com/library/de...-us/dnnetsec/h
tml/ThreatCounter.asp)

and

* Building Secure ASP.NET Applications
(http://msdn.microsoft.com/library/de...-us/dnnetsec/h
tml/secnetlpMSDN.asp?frame=true)

Hope this helps,
- bliz
--
Jim Blizzard, MCSD .NET
Community Developer Evangelist | http://www.microsoft.com/communities
Microsoft

Your Potential. Our Passion.

This posting is provided as is, without warranty, and confers no rights.

"Jeff Fink" <jfinkjfink (AT) yahoo (DOT) com> wrote

Quote:

We have a server with dotnet installed that is part of our domain. We're
using the server for web hosting. We don't want the users to be able to
access anything outside of their respective folders on the drive. Do we
need to do anything different that we would for a normal user without
dotnet? We already create a separate admin and anonymous account per web
site and set NTFS permissions accordingly. Is there anything else that
needs to happen to protect the machine from abusive dotnet users?

Thanks,
-Jeff

#3

"Jim Blizzard [MSFT]" <jimblizz (AT) online (DOT) microsoft.com> wrote

Quote:

Run your ASP.NET web sites using a "least privileged" account, such as
ASPNET (on Windows 2000 and Windows XP) or Network Service (on Windows
Server 2003). Don't run it as SYSTEM, as this is a system-level account.

So I have a custom anonymous user (IUSR_myuser) and user account (myuser)
with NTFS permissions set to allow full control to the user's folder and no
other part of the disk. Looks like aspx pages only run if I also add
privileges to the folder for the ASPNET account. This worries me immensely.
Before .net, I set up my user folders so that only the user, the user's
anonymous account, and administrators could access the folder. This stops
myuser1 from writing an ASP page that goes through the disk and can view
myuser2's files. Now that the ASPX page is running the context of the
ASPNET account, what stops this from happening?

-Jeff

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Question about dotnet server security

Dotnet FAQs microsoft.public.dotnet.faqs

Question about dotnet server security - 10-29-2003 , 11:55 AM

Re: Question about dotnet server security - 11-03-2003 , 12:12 AM

Re: Question about dotnet server security - 11-06-2003 , 01:04 PM