Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Restricting ASPNET ACLs without breaking ASPNET (newbie-ish)

Thread Tools

Restricting ASPNET ACLs without breaking ASPNET (newbie-ish)

Brian Schuth
Posts: n/a
Scenario: We have a library with objects that host Jscript for the execution
of complex validation code. This library is being called by an ASP.NET
application. The ASP.NET process has the USERS role, which means either
malicious or stupid systems developers could write a script that (for
example) instantiates a FileSystemObject, and wipes out huge tracts of hard
disk. To make things worse, there is a legitimate use for the FSO object,
but only in a single directory.

My first blush thought for solving this security ugliness is to give
read-only access to ASPNET to all files, with the exception of the one
directory where it is permitted to cause trouble. My questions are:

* Is this the best way to go about this (Windows Authentication is not an
option for me; neither is junking the Jscript hosting)?
* I assume ASPNET needs writing privileges somewhere to get its work done;
is it fairly easy to figure out where this is (I didn't find anything
obvious on MSDN, but I may be getting sloppy...)? Or can I really get away
with just giving ASPNET Read (and Execute) rights only from the disk root,
and then giving Write privileges only where I want it? I'd just go ahead
and try this, but I hate to do mass ACL changes without at least asking
someone who knows better than I about it...


Brian Schuth Removed)
Eastport, ME

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Integrated Security - Restricting Users Without Groups Mr Newbie ASP .Net 6 12-04-2005 10:34 AM
Looking for a breaking news rss feed that really contains breaking news Amy XML 0 02-22-2005 06:31 PM
Restricting user input without "disabled" Jeremy Langworthy Javascript 5 09-02-2003 09:33 PM
Setting ACLs for aspnet user for sending smtp mail Eric ASP .Net Security 0 07-21-2003 05:36 PM
How to print datagrid content without breaking the last line Peter Afonin ASP .Net 4 07-10-2003 02:28 AM