Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > NTFS rights not honored

Reply
Thread Tools

NTFS rights not honored

 
 
Pål Andreassen
Guest
Posts: n/a
 
      12-16-2003
Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="true" />
<authentication mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?


--
Pål Andreassen
http://www.velocityreviews.com/forums/(E-Mail Removed)
(ROT13 to reply)
 
Reply With Quote
 
 
 
 
Kevin Spencer
Guest
Posts: n/a
 
      12-16-2003
You say that everyone can see every file and folder. What you mean is that
your ASP page will DISPLAY every file and folder, do you not? The reason I
say that is, there is only ONE account under which that ASP.Net application
runs, and it is the ASP.Net worker process that is looking at the files and
folders, and displaying information about them in the browser. The user is
only looking at the browser, which doesn't require any special permission,
unless the web site itself requires a Windows login to be viewed, and even
then, that doesn't affect what user account your ASP.Net worker process is
running under. It only affects who can view that page.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

"Pål Andreassen" <(E-Mail Removed)> wrote in message
news:Xns9453731695856cnnynaqernffragevzna@207.46.2 48.16...
> Running Windows 2003 Server
> Framework 1.1
>
> A site is configured to use integrated security (in IIS 6)
> Windows autentication and user impersonation in web.config
> <identity impersonate="true" />
> <authentication mode="Windows" />
>
> I've got a ASPX page that lists folders and files from a predefined
> location on the server. These folders and files have access rights set to
> them by NTFS security. The problem is that everyone can see every file
> and
> folder, even though NTFS does not permit them.
>
> How can I expose a file structure for browsing through ASP.NET and
> still honouring NTFS file rights?
>
>
> --
> Pål Andreassen
> (E-Mail Removed)
> (ROT13 to reply)



 
Reply With Quote
 
 
 
 
Holly Mazerolle
Guest
Posts: n/a
 
      12-16-2003
Since you have Impersonation set to true in the config file this means that
the IIS authenticated user will be the identity used to access resources
when the request is made. What type of authentication in IIS are you using.
If you have it set up to use anonymous then the anonymous user will be the
account who is accessing the resources. In order to get a better idea what
who is accessing what you may want to download and run filemon
(http://www.sysinternals.com). It will list the account that is being used
to utilize resources. Just run it while you are making a request for the
page.

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly

 
Reply With Quote
 
Pål Andreassen
Guest
Posts: n/a
 
      12-16-2003
(E-Mail Removed) (Holly Mazerolle) wrote in
news:(E-Mail Removed):

> Since you have Impersonation set to true in the config file this means
> that the IIS authenticated user will be the identity used to access
> resources when the request is made. What type of authentication in IIS
> are you using. If you have it set up to use anonymous then the
> anonymous user will be the account who is accessing the resources. In
> order to get a better idea what who is accessing what you may want to
> download and run filemon (http://www.sysinternals.com). It will list
> the account that is being used to utilize resources. Just run it while
> you are making a request for the page.


Thanks. I've used filemon before, but did not think of it now. In IIS I'm
using Integrated security. Basic and anonymous is turned off.

Since I've got impersonation on in web.config I though the request would
be run as the actual logged in user, and not ASPNET.

--
Pål Andreassen
(E-Mail Removed)
(ROT13 to reply)
 
Reply With Quote
 
Norman Rasmussen
Guest
Posts: n/a
 
      12-17-2003
> Since I've got impersonation on in web.config I though the request would
be run as the actual logged in user, and not ASPNET.
Yes, I think is what is happening for you.

> The problem is that everyone can see every file and folder, even though

NTFS does not permit them
There is a difference between being able to _see_ the file in a directory
listing and actually being able to read it. Can if you can't read the file
you can see it! You will need to check whether you can actually read the
file before showing it in the list to the user.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stylesheet not honored; directory access thwarted RichardOnRails Ruby 2 11-06-2008 12:26 AM
TraceOutputOptions not honored =?Utf-8?B?Y2hheg==?= ASP .Net 3 08-29-2006 01:44 AM
link hover color not honored when using onclick event Richard Thoms HTML 6 12-02-2005 02:55 AM
Creating a batch to determine if HD is NTFS if not format it NTFS Tech Computer Support 3 04-06-2004 06:19 PM
NTFS rights not honored Pål Andreassen ASP .Net 1 12-16-2003 01:35 PM



Advertisments