Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Who is may ASP.NET app supposed to run as? (http://www.velocityreviews.com/forums/t769213-who-is-may-asp-net-app-supposed-to-run-as.html)

David Thielen 12-30-2006 09:47 PM

Who is may ASP.NET app supposed to run as?
 
Hi;

My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
the correct user for strictest security? I thought best was "NETWORK SERVICE"
or something like that.

And do I need to set this when installing the app? I don't think I am
specifying the user to run under anywhere.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm



David Thielen 12-30-2006 10:24 PM

RE: Who is may ASP.NET app supposed to run as?
 
Weirder and weirder - now it shows it running as me. Maybe we have something
wrong in our installer but it looks like we just create the web application
and never set who it runs as.

we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis -pef
connection_string our_app_root_directory.

Any ideas?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm




"David Thielen" wrote:

> Hi;
>
> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
> the correct user for strictest security? I thought best was "NETWORK SERVICE"
> or something like that.
>
> And do I need to set this when installing the app? I don't think I am
> specifying the user to run under anywhere.
>
> --
> thanks - dave
> david_at_windward_dot_net
> http://www.windwardreports.com
>
> Cubicle Wars - http://www.windwardreports.com/film.htm
>
>


David Thielen 12-30-2006 10:26 PM

RE: Who is may ASP.NET app supposed to run as?
 
oops - and also calling:

aspnet_regiis -s W3SVC/1/ROOT/WindwardPortal

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm




"David Thielen" wrote:

> Weirder and weirder - now it shows it running as me. Maybe we have something
> wrong in our installer but it looks like we just create the web application
> and never set who it runs as.
>
> we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis -pef
> connection_string our_app_root_directory.
>
> Any ideas?
>
> --
> thanks - dave
> david_at_windward_dot_net
> http://www.windwardreports.com
>
> Cubicle Wars - http://www.windwardreports.com/film.htm
>
>
>
>
> "David Thielen" wrote:
>
> > Hi;
> >
> > My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is this
> > the correct user for strictest security? I thought best was "NETWORK SERVICE"
> > or something like that.
> >
> > And do I need to set this when installing the app? I don't think I am
> > specifying the user to run under anywhere.
> >
> > --
> > thanks - dave
> > david_at_windward_dot_net
> > http://www.windwardreports.com
> >
> > Cubicle Wars - http://www.windwardreports.com/film.htm
> >
> >


Dominick Baier 12-31-2006 02:24 AM

RE: Who is may ASP.NET app supposed to run as?
 
you have client impersonation enabled - this will give you the behavior you
see.

W2K has no NETWORK SERVICE account - this was introduced in XP.

On W2k ASP.NET apps run by default as ASPNET.


-----
Dominick Baier (http://www.leastprivilege.com)

> Weirder and weirder - now it shows it running as me. Maybe we have
> something wrong in our installer but it looks like we just create the
> web application and never set who it runs as.
>
> we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
> -pef connection_string our_app_root_directory.
>
> Any ideas?
>
> Cubicle Wars - http://www.windwardreports.com/film.htm
>
> "David Thielen" wrote:
>
>> Hi;
>>
>> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
>> this the correct user for strictest security? I thought best was
>> "NETWORK SERVICE" or something like that.
>>
>> And do I need to set this when installing the app? I don't think I am
>> specifying the user to run under anywhere.
>>
>> --
>> thanks - dave
>> david_at_windward_dot_net
>> http://www.windwardreports.com
>> Cubicle Wars - http://www.windwardreports.com/film.htm
>>




David Thielen 12-31-2006 04:05 AM

RE: Who is may ASP.NET app supposed to run as?
 
Ok, found the impersonation and set it to false (no idea how that was ever
true).

I am on Windows 2003, not W2K so NETWORK SERVICE is correct then - yes? And
for WinXP?

For W2K the user is ASPNET - is that user used for anything in Windows 2003
or is it just around because some apps assume it exists from W2K?

We need to set permissions for our logging directory for the ASP.NET app so
is it ok if we grant permissions to NETWORK SERVICE for Windows 2003 & XP,
and to ASPNET for W2K? SHould that cover any standard configuration?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm




"Dominick Baier" wrote:

> you have client impersonation enabled - this will give you the behavior you
> see.
>
> W2K has no NETWORK SERVICE account - this was introduced in XP.
>
> On W2k ASP.NET apps run by default as ASPNET.
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> > Weirder and weirder - now it shows it running as me. Maybe we have
> > something wrong in our installer but it looks like we just create the
> > web application and never set who it runs as.
> >
> > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
> > -pef connection_string our_app_root_directory.
> >
> > Any ideas?
> >
> > Cubicle Wars - http://www.windwardreports.com/film.htm
> >
> > "David Thielen" wrote:
> >
> >> Hi;
> >>
> >> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
> >> this the correct user for strictest security? I thought best was
> >> "NETWORK SERVICE" or something like that.
> >>
> >> And do I need to set this when installing the app? I don't think I am
> >> specifying the user to run under anywhere.
> >>
> >> --
> >> thanks - dave
> >> david_at_windward_dot_net
> >> http://www.windwardreports.com
> >> Cubicle Wars - http://www.windwardreports.com/film.htm
> >>

>
>
>


David Thielen 12-31-2006 04:06 AM

RE: Who is may ASP.NET app supposed to run as?
 
Sorry - and what about Vista - what user is default there?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm




"David Thielen" wrote:

> Ok, found the impersonation and set it to false (no idea how that was ever
> true).
>
> I am on Windows 2003, not W2K so NETWORK SERVICE is correct then - yes? And
> for WinXP?
>
> For W2K the user is ASPNET - is that user used for anything in Windows 2003
> or is it just around because some apps assume it exists from W2K?
>
> We need to set permissions for our logging directory for the ASP.NET app so
> is it ok if we grant permissions to NETWORK SERVICE for Windows 2003 & XP,
> and to ASPNET for W2K? SHould that cover any standard configuration?
>
> --
> thanks - dave
> david_at_windward_dot_net
> http://www.windwardreports.com
>
> Cubicle Wars - http://www.windwardreports.com/film.htm
>
>
>
>
> "Dominick Baier" wrote:
>
> > you have client impersonation enabled - this will give you the behavior you
> > see.
> >
> > W2K has no NETWORK SERVICE account - this was introduced in XP.
> >
> > On W2k ASP.NET apps run by default as ASPNET.
> >
> >
> > -----
> > Dominick Baier (http://www.leastprivilege.com)
> >
> > > Weirder and weirder - now it shows it running as me. Maybe we have
> > > something wrong in our installer but it looks like we just create the
> > > web application and never set who it runs as.
> > >
> > > we are calling aspnet_regiis -ga "NETWORK SERVICE" and aspnet_regiis
> > > -pef connection_string our_app_root_directory.
> > >
> > > Any ideas?
> > >
> > > Cubicle Wars - http://www.windwardreports.com/film.htm
> > >
> > > "David Thielen" wrote:
> > >
> > >> Hi;
> > >>
> > >> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME. Is
> > >> this the correct user for strictest security? I thought best was
> > >> "NETWORK SERVICE" or something like that.
> > >>
> > >> And do I need to set this when installing the app? I don't think I am
> > >> specifying the user to run under anywhere.
> > >>
> > >> --
> > >> thanks - dave
> > >> david_at_windward_dot_net
> > >> http://www.windwardreports.com
> > >> Cubicle Wars - http://www.windwardreports.com/film.htm
> > >>

> >
> >
> >


Dominick Baier 12-31-2006 10:09 AM

RE: Who is may ASP.NET app supposed to run as?
 
Default Accounts:

II5.x (W2K/XP) : ASPNET
IIS6/7 (W2K3 / Vista) : NETWORK SERVICE


-----
Dominick Baier (http://www.leastprivilege.com)

> Sorry - and what about Vista - what user is default there?
>
> Cubicle Wars - http://www.windwardreports.com/film.htm
>
> "David Thielen" wrote:
>
>> Ok, found the impersonation and set it to false (no idea how that was
>> ever true).
>>
>> I am on Windows 2003, not W2K so NETWORK SERVICE is correct then -
>> yes? And for WinXP?
>>
>> For W2K the user is ASPNET - is that user used for anything in
>> Windows 2003 or is it just around because some apps assume it exists
>> from W2K?
>>
>> We need to set permissions for our logging directory for the ASP.NET
>> app so is it ok if we grant permissions to NETWORK SERVICE for
>> Windows 2003 & XP, and to ASPNET for W2K? SHould that cover any
>> standard configuration?
>>
>> --
>> thanks - dave
>> david_at_windward_dot_net
>> http://www.windwardreports.com
>> Cubicle Wars - http://www.windwardreports.com/film.htm
>>
>> "Dominick Baier" wrote:
>>
>>> you have client impersonation enabled - this will give you the
>>> behavior you see.
>>>
>>> W2K has no NETWORK SERVICE account - this was introduced in XP.
>>>
>>> On W2k ASP.NET apps run by default as ASPNET.
>>>
>>> -----
>>> Dominick Baier (http://www.leastprivilege.com)
>>>> Weirder and weirder - now it shows it running as me. Maybe we have
>>>> something wrong in our installer but it looks like we just create
>>>> the web application and never set who it runs as.
>>>>
>>>> we are calling aspnet_regiis -ga "NETWORK SERVICE" and
>>>> aspnet_regiis -pef connection_string our_app_root_directory.
>>>>
>>>> Any ideas?
>>>>
>>>> Cubicle Wars - http://www.windwardreports.com/film.htm
>>>>
>>>> "David Thielen" wrote:
>>>>
>>>>> Hi;
>>>>>
>>>>> My ASP.NET app (on Windows 2003) is running under IUSR_SERVERNAME.
>>>>> Is this the correct user for strictest security? I thought best
>>>>> was "NETWORK SERVICE" or something like that.
>>>>>
>>>>> And do I need to set this when installing the app? I don't think I
>>>>> am specifying the user to run under anywhere.
>>>>>
>>>>> --
>>>>> thanks - dave
>>>>> david_at_windward_dot_net
>>>>> http://www.windwardreports.com
>>>>> Cubicle Wars - http://www.windwardreports.com/film.htm





All times are GMT. The time now is 11:11 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.