|
question about IUSR_server account
Hi,
i have an asp.net webapplication using Anonymous Authentification (IUSR_servername) in IIS. Account ASPNET is used for the aspx files. There are also old asp classic pages which run without problem. When looking at the permissions, all pages (aspx and asp) have account ASPNET set to Read and the database directory set to Read/Write. Nowhere i can see the account IUSR_servername; I thought account IUSR_servername acts as anonymous user (for the visitor of the site). So my question: why is it not in the permission list of the asp(x) pages? Where and when does it act? Thanks for explanation Bart |
Re: question about IUSR_server account
On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote:
> Hi, > > i have an asp.net webapplication using Anonymous Authentification > (IUSR_servername) in IIS. > Account ASPNET is used for the aspx files. > There are also old asp classic pages which run without problem. > > When looking at the permissions, all pages (aspx and asp) have account > ASPNET set to Read and the database directory set to Read/Write. > > Nowhere i can see the account IUSR_servername; I thought account > IUSR_servername acts as anonymous user (for the visitor of the site). > So my question: why is it not in the permission list of the asp(x) pages? > Where and when does it act? > > Thanks for explanation > Bart Bart, What other users have permissions? If you post, we can make recommendations on locking them down. |
Re: question about IUSR_server account
Nothing special:
All users: read ASPNET: read ADministrators: full "Will Platnick" <wplatnick@gmail.com> schreef in bericht news:1174666773.594808.57300@y66g2000hsf.googlegro ups.com... > On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >> Hi, >> >> i have an asp.net webapplication using Anonymous Authentification >> (IUSR_servername) in IIS. >> Account ASPNET is used for the aspx files. >> There are also old asp classic pages which run without problem. >> >> When looking at the permissions, all pages (aspx and asp) have account >> ASPNET set to Read and the database directory set to Read/Write. >> >> Nowhere i can see the account IUSR_servername; I thought account >> IUSR_servername acts as anonymous user (for the visitor of the site). >> So my question: why is it not in the permission list of the asp(x) pages? >> Where and when does it act? >> >> Thanks for explanation >> Bart > > Bart, > What other users have permissions? If you post, we can make > recommendations on locking them down. > |
Re: question about IUSR_server account
On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote:
> Nothing special: > All users: read > ASPNET: read > ADministrators: full > > "Will Platnick" <wplatn...@gmail.com> schreef in berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... > > > > > On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: > >> Hi, > > >> i have an asp.net webapplication using Anonymous Authentification > >> (IUSR_servername) in IIS. > >> Account ASPNET is used for the aspx files. > >> There are also old asp classic pages which run without problem. > > >> When looking at the permissions, all pages (aspx and asp) have account > >> ASPNET set to Read and the database directory set to Read/Write. > > >> Nowhere i can see the account IUSR_servername; I thought account > >> IUSR_servername acts as anonymous user (for the visitor of the site). > >> So my question: why is it not in the permission list of the asp(x) pages? > >> Where and when does it act? > > >> Thanks for explanation > >> Bart > > > Bart, > > What other users have permissions? If you post, we can make > > recommendations on locking them down.- Hide quoted text - > > - Show quoted text - http://blogs.msdn.com/david.wang/arc...de_Part_2.aspx //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // |
Re: question about IUSR_server account
Thanks, but to be honest, it's not easy to read.
Can you summarize and tell me: which account (obvisiouly not IUSR_server) needs then the right permissions for accessing aspx pages? "David Wang" <w3.4you@gmail.com> schreef in bericht news:1174731228.984028.270190@y80g2000hsf.googlegr oups.com... > On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: >> Nothing special: >> All users: read >> ASPNET: read >> ADministrators: full >> >> "Will Platnick" <wplatn...@gmail.com> schreef in >> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... >> >> >> >> > On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >> >> Hi, >> >> >> i have an asp.net webapplication using Anonymous Authentification >> >> (IUSR_servername) in IIS. >> >> Account ASPNET is used for the aspx files. >> >> There are also old asp classic pages which run without problem. >> >> >> When looking at the permissions, all pages (aspx and asp) have account >> >> ASPNET set to Read and the database directory set to Read/Write. >> >> >> Nowhere i can see the account IUSR_servername; I thought account >> >> IUSR_servername acts as anonymous user (for the visitor of the site). >> >> So my question: why is it not in the permission list of the asp(x) >> >> pages? >> >> Where and when does it act? >> >> >> Thanks for explanation >> >> Bart >> >> > Bart, >> > What other users have permissions? If you post, we can make >> > recommendations on locking them down.- Hide quoted text - >> >> - Show quoted text - > > http://blogs.msdn.com/david.wang/arc...de_Part_2.aspx > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > |
Re: question about IUSR_server account
the account your application runs under.
IIS5 default: ASPNET IIS6 default: NETWORK SERVICE ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Thanks, but to be honest, it's not easy to read. > Can you summarize and tell me: > which account (obvisiouly not IUSR_server) needs then the right > permissions > for accessing aspx pages? > "David Wang" <w3.4you@gmail.com> schreef in bericht > news:1174731228.984028.270190@y80g2000hsf.googlegr oups.com... > >> On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: >> >>> Nothing special: >>> All users: read >>> ASPNET: read >>> ADministrators: full >>> "Will Platnick" <wplatn...@gmail.com> schreef in >>> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... >>> >>>> On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >>>> >>>>> Hi, >>>>> >>>>> i have an asp.net webapplication using Anonymous Authentification >>>>> (IUSR_servername) in IIS. >>>>> Account ASPNET is used for the aspx files. >>>>> There are also old asp classic pages which run without problem. >>>>> When looking at the permissions, all pages (aspx and asp) have >>>>> account ASPNET set to Read and the database directory set to >>>>> Read/Write. >>>>> >>>>> Nowhere i can see the account IUSR_servername; I thought account >>>>> IUSR_servername acts as anonymous user (for the visitor of the >>>>> site). >>>>> So my question: why is it not in the permission list of the asp(x) >>>>> pages? >>>>> Where and when does it act? >>>>> Thanks for explanation >>>>> Bart >>>> Bart, >>>> What other users have permissions? If you post, we can make >>>> recommendations on locking them down.- Hide quoted text - >>> - Show quoted text - >>> >> http://blogs.msdn.com/david.wang/arc..._User_Identity >> _to_Run_Code_Part_2.aspx >> >> //David >> http://w3-4u.blogspot.com >> http://blogs.msdn.com/David.Wang >> // |
Re: question about IUSR_server account
Thanks.
And, if you don't mind, for asp classic pages? "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in bericht news:51eb3048c4238c93c2c13547110@news.microsoft.co m... > the account your application runs under. > > IIS5 default: ASPNET > IIS6 default: NETWORK SERVICE > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Thanks, but to be honest, it's not easy to read. >> Can you summarize and tell me: >> which account (obvisiouly not IUSR_server) needs then the right >> permissions >> for accessing aspx pages? >> "David Wang" <w3.4you@gmail.com> schreef in bericht >> news:1174731228.984028.270190@y80g2000hsf.googlegr oups.com... >> >>> On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: >>> >>>> Nothing special: >>>> All users: read >>>> ASPNET: read >>>> ADministrators: full >>>> "Will Platnick" <wplatn...@gmail.com> schreef in >>>> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... >>>> >>>>> On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> i have an asp.net webapplication using Anonymous Authentification >>>>>> (IUSR_servername) in IIS. >>>>>> Account ASPNET is used for the aspx files. >>>>>> There are also old asp classic pages which run without problem. >>>>>> When looking at the permissions, all pages (aspx and asp) have >>>>>> account ASPNET set to Read and the database directory set to >>>>>> Read/Write. >>>>>> >>>>>> Nowhere i can see the account IUSR_servername; I thought account >>>>>> IUSR_servername acts as anonymous user (for the visitor of the >>>>>> site). >>>>>> So my question: why is it not in the permission list of the asp(x) >>>>>> pages? >>>>>> Where and when does it act? >>>>>> Thanks for explanation >>>>>> Bart >>>>> Bart, >>>>> What other users have permissions? If you post, we can make >>>>> recommendations on locking them down.- Hide quoted text - >>>> - Show quoted text - >>>> >>> http://blogs.msdn.com/david.wang/arc..._User_Identity >>> _to_Run_Code_Part_2.aspx >>> >>> //David >>> http://w3-4u.blogspot.com >>> http://blogs.msdn.com/David.Wang >>> // > > |
Re: question about IUSR_server account
On Mar 24, 10:06 am, "Bart" <b...@sdq.dc> wrote:
> Thanks. > And, if you don't mind, for asp classic pages? > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in > berichtnews:51eb3048c4238c93c2c13547110@news.micro soft.com... > > > the account your application runs under. > > > IIS5 default: ASPNET > > IIS6 default: NETWORK SERVICE > > > ----- > > Dominick Baier (http://www.leastprivilege.com) > > > Developing More Secure Microsoft ASP.NET 2.0 Applications > > (http://www.microsoft.com/mspress/books/9989.asp) > > >> Thanks, but to be honest, it's not easy to read. > >> Can you summarize and tell me: > >> which account (obvisiouly not IUSR_server) needs then the right > >> permissions > >> for accessing aspx pages? > >> "David Wang" <w3.4...@gmail.com> schreef in bericht > >>news:1174731228.984028.270190@y80g2000hsf.google groups.com... > > >>> On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: > > >>>> Nothing special: > >>>> All users: read > >>>> ASPNET: read > >>>> ADministrators: full > >>>> "Will Platnick" <wplatn...@gmail.com> schreef in > >>>> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... > > >>>>> On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: > > >>>>>> Hi, > > >>>>>> i have an asp.net webapplication using Anonymous Authentification > >>>>>> (IUSR_servername) in IIS. > >>>>>> Account ASPNET is used for the aspx files. > >>>>>> There are also old asp classic pages which run without problem. > >>>>>> When looking at the permissions, all pages (aspx and asp) have > >>>>>> account ASPNET set to Read and the database directory set to > >>>>>> Read/Write. > > >>>>>> Nowhere i can see the account IUSR_servername; I thought account > >>>>>> IUSR_servername acts as anonymous user (for the visitor of the > >>>>>> site). > >>>>>> So my question: why is it not in the permission list of the asp(x) > >>>>>> pages? > >>>>>> Where and when does it act? > >>>>>> Thanks for explanation > >>>>>> Bart > >>>>> Bart, > >>>>> What other users have permissions? If you post, we can make > >>>>> recommendations on locking them down.- Hide quoted text - > >>>> - Show quoted text - > > >>>http://blogs.msdn.com/david.wang/arc..._User_Identity > >>> _to_Run_Code_Part_2.aspx > > >>> //David > >>>http://w3-4u.blogspot.com > >>>http://blogs.msdn.com/David.Wang > >>> // Bart, ASP pages run as the IUSR, but IUSR user is probably in "all users" group (did you mean Everyone by any chance), which is why it is executing. Definitely a security risk. When I setup sites, I copy the existing permissions on the root, and then set Administrators and System as full, then go assign iusr or .net user permissions depending... |
Re: question about IUSR_server account
Thanks for explanation...
And last point... if the Windows Integrated Authentification is used and not Anonymous, is then the account of the user himelf used? "Will Platnick" <wplatnick@gmail.com> schreef in bericht news:1174747831.417922.49780@n59g2000hsh.googlegro ups.com... > On Mar 24, 10:06 am, "Bart" <b...@sdq.dc> wrote: >> Thanks. >> And, if you don't mind, for asp classic pages? >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef >> in >> berichtnews:51eb3048c4238c93c2c13547110@news.micro soft.com... >> >> > the account your application runs under. >> >> > IIS5 default: ASPNET >> > IIS6 default: NETWORK SERVICE >> >> > ----- >> > Dominick Baier (http://www.leastprivilege.com) >> >> > Developing More Secure Microsoft ASP.NET 2.0 Applications >> > (http://www.microsoft.com/mspress/books/9989.asp) >> >> >> Thanks, but to be honest, it's not easy to read. >> >> Can you summarize and tell me: >> >> which account (obvisiouly not IUSR_server) needs then the right >> >> permissions >> >> for accessing aspx pages? >> >> "David Wang" <w3.4...@gmail.com> schreef in bericht >> >>news:1174731228.984028.270190@y80g2000hsf.google groups.com... >> >> >>> On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: >> >> >>>> Nothing special: >> >>>> All users: read >> >>>> ASPNET: read >> >>>> ADministrators: full >> >>>> "Will Platnick" <wplatn...@gmail.com> schreef in >> >>>> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com... >> >> >>>>> On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >> >> >>>>>> Hi, >> >> >>>>>> i have an asp.net webapplication using Anonymous Authentification >> >>>>>> (IUSR_servername) in IIS. >> >>>>>> Account ASPNET is used for the aspx files. >> >>>>>> There are also old asp classic pages which run without problem. >> >>>>>> When looking at the permissions, all pages (aspx and asp) have >> >>>>>> account ASPNET set to Read and the database directory set to >> >>>>>> Read/Write. >> >> >>>>>> Nowhere i can see the account IUSR_servername; I thought account >> >>>>>> IUSR_servername acts as anonymous user (for the visitor of the >> >>>>>> site). >> >>>>>> So my question: why is it not in the permission list of the asp(x) >> >>>>>> pages? >> >>>>>> Where and when does it act? >> >>>>>> Thanks for explanation >> >>>>>> Bart >> >>>>> Bart, >> >>>>> What other users have permissions? If you post, we can make >> >>>>> recommendations on locking them down.- Hide quoted text - >> >>>> - Show quoted text - >> >> >>>http://blogs.msdn.com/david.wang/arc..._User_Identity >> >>> _to_Run_Code_Part_2.aspx >> >> >>> //David >> >>>http://w3-4u.blogspot.com >> >>>http://blogs.msdn.com/David.Wang >> >>> // > > Bart, > ASP pages run as the IUSR, but IUSR user is probably in "all users" > group (did you mean Everyone by any chance), which is why it is > executing. Definitely a security risk. When I setup sites, I copy > the existing permissions on the root, and then set Administrators and > System as full, then go assign iusr or .net user permissions > depending... > |
Re: question about IUSR_server account
for ASP yes
for ASP.NET (by default) no ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Thanks for explanation... > > And last point... > if the Windows Integrated Authentification is used and not Anonymous, > is > then the account of the user himelf used? > "Will Platnick" <wplatnick@gmail.com> schreef in bericht > news:1174747831.417922.49780@n59g2000hsh.googlegro ups.com... > >> On Mar 24, 10:06 am, "Bart" <b...@sdq.dc> wrote: >> >>> Thanks. >>> And, if you don't mind, for asp classic pages? >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>> schreef >>> in >>> berichtnews:51eb3048c4238c93c2c13547110@news.micro soft.com... >>>> the account your application runs under. >>>> >>>> IIS5 default: ASPNET >>>> IIS6 default: NETWORK SERVICE >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>> >>>>> Thanks, but to be honest, it's not easy to read. >>>>> Can you summarize and tell me: >>>>> which account (obvisiouly not IUSR_server) needs then the right >>>>> permissions >>>>> for accessing aspx pages? >>>>> "David Wang" <w3.4...@gmail.com> schreef in bericht >>>>> news:1174731228.984028.270190@y80g2000hsf.googlegr oups.com... >>>>>> On Mar 24, 2:47 am, "Bart" <b...@sdq.dc> wrote: >>>>>> >>>>>>> Nothing special: >>>>>>> All users: read >>>>>>> ASPNET: read >>>>>>> ADministrators: full >>>>>>> "Will Platnick" <wplatn...@gmail.com> schreef in >>>>>>> berichtnews:1174666773.594808.57300@y66g2000hsf.go oglegroups.com >>>>>>> ... >>>>>>>> On Mar 22, 1:19 pm, "Bart" <b...@sdq.dc> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> i have an asp.net webapplication using Anonymous >>>>>>>>> Authentification >>>>>>>>> (IUSR_servername) in IIS. >>>>>>>>> Account ASPNET is used for the aspx files. >>>>>>>>> There are also old asp classic pages which run without >>>>>>>>> problem. >>>>>>>>> When looking at the permissions, all pages (aspx and asp) have >>>>>>>>> account ASPNET set to Read and the database directory set to >>>>>>>>> Read/Write. >>>>>>>>> Nowhere i can see the account IUSR_servername; I thought >>>>>>>>> account >>>>>>>>> IUSR_servername acts as anonymous user (for the visitor of the >>>>>>>>> site). >>>>>>>>> So my question: why is it not in the permission list of the >>>>>>>>> asp(x) >>>>>>>>> pages? >>>>>>>>> Where and when does it act? >>>>>>>>> Thanks for explanation >>>>>>>>> Bart >>>>>>>> Bart, >>>>>>>> What other users have permissions? If you post, we can make >>>>>>>> recommendations on locking them down.- Hide quoted text - >>>>>>> - Show quoted text - >>>>>>> >>>>>> http://blogs.msdn.com/david.wang/arc.../IIS_User_Iden >>>>>> tity _to_Run_Code_Part_2.aspx >>>>>> >>>>>> //David >>>>>> http://w3-4u.blogspot.com >>>>>> http://blogs.msdn.com/David.Wang >>>>>> // >> Bart, >> ASP pages run as the IUSR, but IUSR user is probably in "all users" >> group (did you mean Everyone by any chance), which is why it is >> executing. Definitely a security risk. When I setup sites, I copy >> the existing permissions on the root, and then set Administrators and >> System as full, then go assign iusr or .net user permissions >> depending... |
| All times are GMT. The time now is 12:24 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.