Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > How to run aspnet with system account

Reply
Thread Tools

How to run aspnet with system account

 
 
Zeng
Guest
Posts: n/a
 
      04-04-2005
Hi,

I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.

Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?

Thanks for your comment and advice.


 
Reply With Quote
 
 
 
 
James Steele
Guest
Posts: n/a
 
      04-05-2005
Hi Zeng,

You can learn how to create custom accounts to run ASP.NET at the following
link.

http://msdn.microsoft.com/library/de...l/secmod15.asp

Good luck!


"Zeng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I'm running ClrProfiler for the first time to profile my web app, and it
> keeps getting stuck at this msg box: "Waiting for Asp.net to start common
> language runtime - this is the time to load your test page." even after I
> launched my app and aspnet_wp.exe is running.
>
> Do you know what I need to do to fix it? I also found some old post, a
> person mentioned that I need to make sure I need to
> run my aspnet with system account instead. Do you know how to do this
> account switching?
>
> Thanks for your comment and advice.
>
>



 
Reply With Quote
 
 
 
 
Kevin Spencer
Guest
Posts: n/a
 
      04-05-2005
Somebody's going to find a whole bunch of old posts exactly like yours,
thanks to cross-posting!

If you own the server, the simplest way is to edit the machine.config file
in your .Net config folder, and change the ProcessModel section to use
"SYSTEM" instead of "MACHINE".

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Zeng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I'm running ClrProfiler for the first time to profile my web app, and it
> keeps getting stuck at this msg box: "Waiting for Asp.net to start common
> language runtime - this is the time to load your test page." even after I
> launched my app and aspnet_wp.exe is running.
>
> Do you know what I need to do to fix it? I also found some old post, a
> person mentioned that I need to make sure I need to
> run my aspnet with system account instead. Do you know how to do this
> account switching?
>
> Thanks for your comment and advice.
>
>



 
Reply With Quote
 
Joseph MCAD
Guest
Posts: n/a
 
      04-06-2005

April 5, 2005

It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
Application Developer and one of the topics I happen to be certified in is
Web Applications and Security. I am not familiar with ClrProfiler, but I
HEAVILY am in doubt that it requires the System. I think that the old post
was just doing a "quick fix". I am sure that if you were having almost any
problem on your computer, it would be fixed by using the System account. For
this reason, I doubt that the person was really knowing what was required. I
strongly encourage you to research further, or disconnect the computer from
the internet and from any intranet whose computers connect to the internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. Good luck!


Joseph MCAD



"Zeng" wrote:

> Hi,
>
> I'm running ClrProfiler for the first time to profile my web app, and it
> keeps getting stuck at this msg box: "Waiting for Asp.net to start common
> language runtime - this is the time to load your test page." even after I
> launched my app and aspnet_wp.exe is running.
>
> Do you know what I need to do to fix it? I also found some old post, a
> person mentioned that I need to make sure I need to
> run my aspnet with system account instead. Do you know how to do this
> account switching?
>
> Thanks for your comment and advice.
>
>
>

 
Reply With Quote
 
Juan T. Llibre
Guest
Posts: n/a
 
      04-06-2005
re:
>I can't emphasize this enough!


Neither can I.

The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.

It's amazing to see that this is being deliberately reverted.

re:
>Sorry for my abruptness.


I thought you restrained yourself admirably!

For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.




Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Joseph MCAD" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> April 5, 2005
>
> It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
> Application Developer and one of the topics I happen to be certified in is
> Web Applications and Security. I am not familiar with ClrProfiler, but I
> HEAVILY am in doubt that it requires the System. I think that the old post
> was just doing a "quick fix". I am sure that if you were having almost any
> problem on your computer, it would be fixed by using the System account.
> For
> this reason, I doubt that the person was really knowing what was required.
> I
> strongly encourage you to research further, or disconnect the computer
> from
> the internet and from any intranet whose computers connect to the
> internet.
> Then immediately switch back to ASPNET as soon as you are done. I can't
> emphasize this enough! Sorry for my abruptness. Good luck!
>
>
> Joseph MCAD
>
>
>
> "Zeng" wrote:
>
>> Hi,
>>
>> I'm running ClrProfiler for the first time to profile my web app, and it
>> keeps getting stuck at this msg box: "Waiting for Asp.net to start common
>> language runtime - this is the time to load your test page." even after I
>> launched my app and aspnet_wp.exe is running.
>>
>> Do you know what I need to do to fix it? I also found some old post, a
>> person mentioned that I need to make sure I need to
>> run my aspnet with system account instead. Do you know how to do this
>> account switching?
>>
>> Thanks for your comment and advice.
>>
>>
>>



 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      04-06-2005
Hang on a minute guys. This is self-contradictory:

>> It is too dangerous to run it as SYSTEM!


> The *only* reason to change the account used for ASP.NET
> ( from SYSTEM to ASPNET, and now to Network Service ),
> was to be able to run ASP.NET in a less-dangerous security context.


In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?

The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's. We are not a hosting service.
And I am in charge of the software that goes on it.

Most executable applications run under the System account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Juan T. Llibre" <(E-Mail Removed)> wrote in message
news:eyrg$(E-Mail Removed)...
> re:
>>I can't emphasize this enough!

>
> Neither can I.
>
> The *only* reason to change the account used for ASP.NET
> ( from SYSTEM to ASPNET, and now to Network Service ),
> was to be able to run ASP.NET in a less-dangerous security context.
>
> It's amazing to see that this is being deliberately reverted.
>
> re:
>>Sorry for my abruptness.

>
> I thought you restrained yourself admirably!
>
> For developers to deliberately, or maybe unknowingly,
> expose themselves to security risks after a product's
> security configuration was changed to protect them,
> requires a good rap on the knuckles.
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> http://asp.net.do/foros/
> Foros de ASP.NET en Español
> Ven, y hablemos de ASP.NET...
> ======================
>
> "Joseph MCAD" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> April 5, 2005
>>
>> It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
>> Application Developer and one of the topics I happen to be certified in
>> is
>> Web Applications and Security. I am not familiar with ClrProfiler, but I
>> HEAVILY am in doubt that it requires the System. I think that the old
>> post
>> was just doing a "quick fix". I am sure that if you were having almost
>> any
>> problem on your computer, it would be fixed by using the System account.
>> For
>> this reason, I doubt that the person was really knowing what was
>> required. I
>> strongly encourage you to research further, or disconnect the computer
>> from
>> the internet and from any intranet whose computers connect to the
>> internet.
>> Then immediately switch back to ASPNET as soon as you are done. I can't
>> emphasize this enough! Sorry for my abruptness. Good luck!
>>
>>
>> Joseph MCAD
>>
>>
>>
>> "Zeng" wrote:
>>
>>> Hi,
>>>
>>> I'm running ClrProfiler for the first time to profile my web app, and it
>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>>> common
>>> language runtime - this is the time to load your test page." even after
>>> I
>>> launched my app and aspnet_wp.exe is running.
>>>
>>> Do you know what I need to do to fix it? I also found some old post, a
>>> person mentioned that I need to make sure I need to
>>> run my aspnet with system account instead. Do you know how to do this
>>> account switching?
>>>
>>> Thanks for your comment and advice.
>>>
>>>
>>>

>
>



 
Reply With Quote
 
Juan T. Llibre
Guest
Posts: n/a
 
      04-06-2005
re:
> Hang on a minute guys. This is self-contradictory:


No, it is not.

re:
> In other words, it is either too dangerous to run it in as the System
> account, or it is USUALLY too dangerous to run it as the System account.
> Which one is true?


You're the one making *that* distinction.

What I stated is :
>> The *only* reason to change the account used for ASP.NET
>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> was to be able to run ASP.NET in a less-dangerous security context.


re:
> The reason I ask is that we run it as System, and have for years. Why?
> Because it is our servers, and nobody else's.


If you feel comfortable with that, feel free.

But, please, don't issue a recommendation to
"run ASP.NET under the System account".

That's liable to get a lot of people into trouble.

Getting away from having to use an account with excessive privileges
is the reason why, first, the ASP.NET account was changed from
System to ASPNET and then, later, to Network Service, when
even ASPNET was considered to have too many privileges.

That's almost as bad as running a server logged in as "Administrator".





Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Kevin Spencer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hang on a minute guys. This is self-contradictory:
>
>>> It is too dangerous to run it as SYSTEM!

>
>> The *only* reason to change the account used for ASP.NET
>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> was to be able to run ASP.NET in a less-dangerous security context.

>
> In other words, it is either too dangerous to run it in as the System
> account, or it is USUALLY too dangerous to run it as the System account.
> Which one is true?
>
> The reason I ask is that we run it as System, and have for years. Why?
> Because it is our servers, and nobody else's. We are not a hosting
> service. And I am in charge of the software that goes on it.
>
> Most executable applications run under the System account.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> What You Seek Is What You Get.
>
> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
> news:eyrg$(E-Mail Removed)...
>> re:
>>>I can't emphasize this enough!

>>
>> Neither can I.
>>
>> The *only* reason to change the account used for ASP.NET
>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> was to be able to run ASP.NET in a less-dangerous security context.
>>
>> It's amazing to see that this is being deliberately reverted.
>>
>> re:
>>>Sorry for my abruptness.

>>
>> I thought you restrained yourself admirably!
>>
>> For developers to deliberately, or maybe unknowingly,
>> expose themselves to security risks after a product's
>> security configuration was changed to protect them,
>> requires a good rap on the knuckles.
>>
>>
>>
>>
>> Juan T. Llibre
>> ASP.NET MVP
>> http://asp.net.do/foros/
>> Foros de ASP.NET en Español
>> Ven, y hablemos de ASP.NET...
>> ======================
>>
>> "Joseph MCAD" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> April 5, 2005
>>>
>>> It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
>>> Application Developer and one of the topics I happen to be certified in
>>> is
>>> Web Applications and Security. I am not familiar with ClrProfiler, but I
>>> HEAVILY am in doubt that it requires the System. I think that the old
>>> post
>>> was just doing a "quick fix". I am sure that if you were having almost
>>> any
>>> problem on your computer, it would be fixed by using the System account.
>>> For
>>> this reason, I doubt that the person was really knowing what was
>>> required. I
>>> strongly encourage you to research further, or disconnect the computer
>>> from
>>> the internet and from any intranet whose computers connect to the
>>> internet.
>>> Then immediately switch back to ASPNET as soon as you are done. I can't
>>> emphasize this enough! Sorry for my abruptness. Good luck!
>>>
>>>
>>> Joseph MCAD
>>>
>>>
>>>
>>> "Zeng" wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm running ClrProfiler for the first time to profile my web app, and
>>>> it
>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>>>> common
>>>> language runtime - this is the time to load your test page." even after
>>>> I
>>>> launched my app and aspnet_wp.exe is running.
>>>>
>>>> Do you know what I need to do to fix it? I also found some old post, a
>>>> person mentioned that I need to make sure I need to
>>>> run my aspnet with system account instead. Do you know how to do this
>>>> account switching?
>>>>
>>>> Thanks for your comment and advice.
>>>>
>>>>
>>>>

>>
>>

>
>



 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      04-06-2005
Hi Juan,

Sorry about the poor choice of words. You were correct. It wasn't
"self-contradictory" other than the fact that you started out by seemingly
agreeing with Joseph, who made a blanket statement. You qualified your
statement, which actually indicated that you only PARTIALLY agreed with
Joseph.

Blanket statements are almost always incorrect. Note that I didn't make a
blanket statement there! Blanket statements are only useful to lazy people
or people that don't have the time to research the reality behind them.

Telling people that you CAN safely run ASP.Net under the System account
under the right circumstances is not likely to get anyone in trouble. Note
that I didn't RECOMMEND it. If people misunderstand, they aren't listening
diligently, and are therefore responsible for their own actions.

I don't like to hide the truth from people in the fear that they will
misunderstand it. Misunderstanding is not truth. It is a lie that someone
tells themself. What I said was perfectly true. What Joseph said was
implerfectly true. What you said was perfectly true.

The account under which ASP.Net runs is configurable, and includes "System."
Don't tell me that Microsoft made a mistake, by allowing people to do
something they should NEVER do!

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Juan T. Llibre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> re:
>> Hang on a minute guys. This is self-contradictory:

>
> No, it is not.
>
> re:
>> In other words, it is either too dangerous to run it in as the System
>> account, or it is USUALLY too dangerous to run it as the System account.
>> Which one is true?

>
> You're the one making *that* distinction.
>
> What I stated is :
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.

>
> re:
>> The reason I ask is that we run it as System, and have for years. Why?
>> Because it is our servers, and nobody else's.

>
> If you feel comfortable with that, feel free.
>
> But, please, don't issue a recommendation to
> "run ASP.NET under the System account".
>
> That's liable to get a lot of people into trouble.
>
> Getting away from having to use an account with excessive privileges
> is the reason why, first, the ASP.NET account was changed from
> System to ASPNET and then, later, to Network Service, when
> even ASPNET was considered to have too many privileges.
>
> That's almost as bad as running a server logged in as "Administrator".
>
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> http://asp.net.do/foros/
> Foros de ASP.NET en Español
> Ven, y hablemos de ASP.NET...
> ======================
>
> "Kevin Spencer" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hang on a minute guys. This is self-contradictory:
>>
>>>> It is too dangerous to run it as SYSTEM!

>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.

>>
>> In other words, it is either too dangerous to run it in as the System
>> account, or it is USUALLY too dangerous to run it as the System account.
>> Which one is true?
>>
>> The reason I ask is that we run it as System, and have for years. Why?
>> Because it is our servers, and nobody else's. We are not a hosting
>> service. And I am in charge of the software that goes on it.
>>
>> Most executable applications run under the System account.
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
>> news:eyrg$(E-Mail Removed)...
>>> re:
>>>>I can't emphasize this enough!
>>>
>>> Neither can I.
>>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>>>
>>> It's amazing to see that this is being deliberately reverted.
>>>
>>> re:
>>>>Sorry for my abruptness.
>>>
>>> I thought you restrained yourself admirably!
>>>
>>> For developers to deliberately, or maybe unknowingly,
>>> expose themselves to security risks after a product's
>>> security configuration was changed to protect them,
>>> requires a good rap on the knuckles.
>>>
>>>
>>>
>>>
>>> Juan T. Llibre
>>> ASP.NET MVP
>>> http://asp.net.do/foros/
>>> Foros de ASP.NET en Español
>>> Ven, y hablemos de ASP.NET...
>>> ======================
>>>
>>> "Joseph MCAD" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>>
>>>> April 5, 2005
>>>>
>>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
>>>> Certified
>>>> Application Developer and one of the topics I happen to be certified in
>>>> is
>>>> Web Applications and Security. I am not familiar with ClrProfiler, but
>>>> I
>>>> HEAVILY am in doubt that it requires the System. I think that the old
>>>> post
>>>> was just doing a "quick fix". I am sure that if you were having almost
>>>> any
>>>> problem on your computer, it would be fixed by using the System
>>>> account. For
>>>> this reason, I doubt that the person was really knowing what was
>>>> required. I
>>>> strongly encourage you to research further, or disconnect the computer
>>>> from
>>>> the internet and from any intranet whose computers connect to the
>>>> internet.
>>>> Then immediately switch back to ASPNET as soon as you are done. I can't
>>>> emphasize this enough! Sorry for my abruptness. Good luck!
>>>>
>>>>
>>>> Joseph MCAD
>>>>
>>>>
>>>>
>>>> "Zeng" wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm running ClrProfiler for the first time to profile my web app, and
>>>>> it
>>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>>>>> common
>>>>> language runtime - this is the time to load your test page." even
>>>>> after I
>>>>> launched my app and aspnet_wp.exe is running.
>>>>>
>>>>> Do you know what I need to do to fix it? I also found some old post, a
>>>>> person mentioned that I need to make sure I need to
>>>>> run my aspnet with system account instead. Do you know how to do this
>>>>> account switching?
>>>>>
>>>>> Thanks for your comment and advice.
>>>>>
>>>>>
>>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
Joseph MCAD
Guest
Posts: n/a
 
      04-06-2005

April 6, 2005

No security expert would ever agree with you + no security expert would
say that you are security oriented with that frame of mind and lack of
knowledge. Even if you only run your own code on your servers, developers
STILL make mistakes! If you had a simple program that connected to your
database with the SYSTEM account and it had one bug, the attacker could
launch a SQL Injection attack and do everything from, corrupting the
registery, stealing data, take files, delete audit logs, release your IP
address, knock the server offline, and do damage that could result in not
beening able to boot and therefore render the computer unrecoverable without
changing physical pieces such as the harddrive. If you don't run web
services, I bet you haven't disabled the Documentation protocol either. I
also think that you haven't blocked .Net remoting and .rem and .soap
requests. I can't even begin to give examples of what my happen. If all of
your customer information was taken, then deleted, then audit logs cleared,
and then damaged all of your web servers, your company's reputation would be
permanently destroyed unless you work for a giganticly gigantic company such
as Microsoft. With the way you have been able to run your programs as SYSTEM,
I can already believe that you work for a small business and have no security
experts on your team. (that is besides maybe yourself) I strongly recommend
that you begin to switch back to least privilege........


Joseph MCAD



"Kevin Spencer" wrote:

> Hi Juan,
>
> Sorry about the poor choice of words. You were correct. It wasn't
> "self-contradictory" other than the fact that you started out by seemingly
> agreeing with Joseph, who made a blanket statement. You qualified your
> statement, which actually indicated that you only PARTIALLY agreed with
> Joseph.
>
> Blanket statements are almost always incorrect. Note that I didn't make a
> blanket statement there! Blanket statements are only useful to lazy people
> or people that don't have the time to research the reality behind them.
>
> Telling people that you CAN safely run ASP.Net under the System account
> under the right circumstances is not likely to get anyone in trouble. Note
> that I didn't RECOMMEND it. If people misunderstand, they aren't listening
> diligently, and are therefore responsible for their own actions.
>
> I don't like to hide the truth from people in the fear that they will
> misunderstand it. Misunderstanding is not truth. It is a lie that someone
> tells themself. What I said was perfectly true. What Joseph said was
> implerfectly true. What you said was perfectly true.
>
> The account under which ASP.Net runs is configurable, and includes "System."
> Don't tell me that Microsoft made a mistake, by allowing people to do
> something they should NEVER do!
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> ..Net Developer
> What You Seek Is What You Get.
>
> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > re:
> >> Hang on a minute guys. This is self-contradictory:

> >
> > No, it is not.
> >
> > re:
> >> In other words, it is either too dangerous to run it in as the System
> >> account, or it is USUALLY too dangerous to run it as the System account.
> >> Which one is true?

> >
> > You're the one making *that* distinction.
> >
> > What I stated is :
> >>> The *only* reason to change the account used for ASP.NET
> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >>> was to be able to run ASP.NET in a less-dangerous security context.

> >
> > re:
> >> The reason I ask is that we run it as System, and have for years. Why?
> >> Because it is our servers, and nobody else's.

> >
> > If you feel comfortable with that, feel free.
> >
> > But, please, don't issue a recommendation to
> > "run ASP.NET under the System account".
> >
> > That's liable to get a lot of people into trouble.
> >
> > Getting away from having to use an account with excessive privileges
> > is the reason why, first, the ASP.NET account was changed from
> > System to ASPNET and then, later, to Network Service, when
> > even ASPNET was considered to have too many privileges.
> >
> > That's almost as bad as running a server logged in as "Administrator".
> >
> >
> >
> >
> >
> > Juan T. Llibre
> > ASP.NET MVP
> > http://asp.net.do/foros/
> > Foros de ASP.NET en Español
> > Ven, y hablemos de ASP.NET...
> > ======================
> >
> > "Kevin Spencer" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hang on a minute guys. This is self-contradictory:
> >>
> >>>> It is too dangerous to run it as SYSTEM!
> >>
> >>> The *only* reason to change the account used for ASP.NET
> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >>> was to be able to run ASP.NET in a less-dangerous security context.
> >>
> >> In other words, it is either too dangerous to run it in as the System
> >> account, or it is USUALLY too dangerous to run it as the System account.
> >> Which one is true?
> >>
> >> The reason I ask is that we run it as System, and have for years. Why?
> >> Because it is our servers, and nobody else's. We are not a hosting
> >> service. And I am in charge of the software that goes on it.
> >>
> >> Most executable applications run under the System account.
> >>
> >> --
> >> HTH,
> >>
> >> Kevin Spencer
> >> Microsoft MVP
> >> .Net Developer
> >> What You Seek Is What You Get.
> >>
> >> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
> >> news:eyrg$(E-Mail Removed)...
> >>> re:
> >>>>I can't emphasize this enough!
> >>>
> >>> Neither can I.
> >>>
> >>> The *only* reason to change the account used for ASP.NET
> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
> >>> was to be able to run ASP.NET in a less-dangerous security context.
> >>>
> >>> It's amazing to see that this is being deliberately reverted.
> >>>
> >>> re:
> >>>>Sorry for my abruptness.
> >>>
> >>> I thought you restrained yourself admirably!
> >>>
> >>> For developers to deliberately, or maybe unknowingly,
> >>> expose themselves to security risks after a product's
> >>> security configuration was changed to protect them,
> >>> requires a good rap on the knuckles.
> >>>
> >>>
> >>>
> >>>
> >>> Juan T. Llibre
> >>> ASP.NET MVP
> >>> http://asp.net.do/foros/
> >>> Foros de ASP.NET en Español
> >>> Ven, y hablemos de ASP.NET...
> >>> ======================
> >>>
> >>> "Joseph MCAD" <(E-Mail Removed)> wrote in message
> >>> news:(E-Mail Removed)...
> >>>>
> >>>> April 5, 2005
> >>>>
> >>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
> >>>> Certified
> >>>> Application Developer and one of the topics I happen to be certified in
> >>>> is
> >>>> Web Applications and Security. I am not familiar with ClrProfiler, but
> >>>> I
> >>>> HEAVILY am in doubt that it requires the System. I think that the old
> >>>> post
> >>>> was just doing a "quick fix". I am sure that if you were having almost
> >>>> any
> >>>> problem on your computer, it would be fixed by using the System
> >>>> account. For
> >>>> this reason, I doubt that the person was really knowing what was
> >>>> required. I
> >>>> strongly encourage you to research further, or disconnect the computer
> >>>> from
> >>>> the internet and from any intranet whose computers connect to the
> >>>> internet.
> >>>> Then immediately switch back to ASPNET as soon as you are done. I can't
> >>>> emphasize this enough! Sorry for my abruptness. Good luck!
> >>>>
> >>>>
> >>>> Joseph MCAD
> >>>>
> >>>>
> >>>>
> >>>> "Zeng" wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> I'm running ClrProfiler for the first time to profile my web app, and
> >>>>> it
> >>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
> >>>>> common
> >>>>> language runtime - this is the time to load your test page." even
> >>>>> after I
> >>>>> launched my app and aspnet_wp.exe is running.
> >>>>>
> >>>>> Do you know what I need to do to fix it? I also found some old post, a
> >>>>> person mentioned that I need to make sure I need to
> >>>>> run my aspnet with system account instead. Do you know how to do this
> >>>>> account switching?
> >>>>>
> >>>>> Thanks for your comment and advice.
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >>
> >>

> >
> >

>
>
>

 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      04-06-2005
Well, darn, Joseph. How lucky we've been, considering the "lack of security"
on our system. In all the time it's run, we've had no problems, attacks,
down-time, viruses, trojan horses, or anything else, for several years now.

Thanks for making me feel so lucky!

Of course, there's always the possibility that we ARE security experts, but
thankfully, you have made us realize that it's all been pure luck. I guess
I'll just have to take the MCAD course to become one.

--
,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Joseph MCAD" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
>
> April 6, 2005
>
> No security expert would ever agree with you + no security expert
> would
> say that you are security oriented with that frame of mind and lack of
> knowledge. Even if you only run your own code on your servers, developers
> STILL make mistakes! If you had a simple program that connected to your
> database with the SYSTEM account and it had one bug, the attacker could
> launch a SQL Injection attack and do everything from, corrupting the
> registery, stealing data, take files, delete audit logs, release your IP
> address, knock the server offline, and do damage that could result in not
> beening able to boot and therefore render the computer unrecoverable
> without
> changing physical pieces such as the harddrive. If you don't run web
> services, I bet you haven't disabled the Documentation protocol either. I
> also think that you haven't blocked .Net remoting and .rem and .soap
> requests. I can't even begin to give examples of what my happen. If all
> of
> your customer information was taken, then deleted, then audit logs
> cleared,
> and then damaged all of your web servers, your company's reputation would
> be
> permanently destroyed unless you work for a giganticly gigantic company
> such
> as Microsoft. With the way you have been able to run your programs as
> SYSTEM,
> I can already believe that you work for a small business and have no
> security
> experts on your team. (that is besides maybe yourself) I strongly
> recommend
> that you begin to switch back to least privilege........
>
>
> Joseph MCAD
>
>
>
> "Kevin Spencer" wrote:
>
>> Hi Juan,
>>
>> Sorry about the poor choice of words. You were correct. It wasn't
>> "self-contradictory" other than the fact that you started out by
>> seemingly
>> agreeing with Joseph, who made a blanket statement. You qualified your
>> statement, which actually indicated that you only PARTIALLY agreed with
>> Joseph.
>>
>> Blanket statements are almost always incorrect. Note that I didn't make a
>> blanket statement there! Blanket statements are only useful to lazy
>> people
>> or people that don't have the time to research the reality behind them.
>>
>> Telling people that you CAN safely run ASP.Net under the System account
>> under the right circumstances is not likely to get anyone in trouble.
>> Note
>> that I didn't RECOMMEND it. If people misunderstand, they aren't
>> listening
>> diligently, and are therefore responsible for their own actions.
>>
>> I don't like to hide the truth from people in the fear that they will
>> misunderstand it. Misunderstanding is not truth. It is a lie that someone
>> tells themself. What I said was perfectly true. What Joseph said was
>> implerfectly true. What you said was perfectly true.
>>
>> The account under which ASP.Net runs is configurable, and includes
>> "System."
>> Don't tell me that Microsoft made a mistake, by allowing people to do
>> something they should NEVER do!
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> ..Net Developer
>> What You Seek Is What You Get.
>>
>> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > re:
>> >> Hang on a minute guys. This is self-contradictory:
>> >
>> > No, it is not.
>> >
>> > re:
>> >> In other words, it is either too dangerous to run it in as the System
>> >> account, or it is USUALLY too dangerous to run it as the System
>> >> account.
>> >> Which one is true?
>> >
>> > You're the one making *that* distinction.
>> >
>> > What I stated is :
>> >>> The *only* reason to change the account used for ASP.NET
>> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> >>> was to be able to run ASP.NET in a less-dangerous security context.
>> >
>> > re:
>> >> The reason I ask is that we run it as System, and have for years. Why?
>> >> Because it is our servers, and nobody else's.
>> >
>> > If you feel comfortable with that, feel free.
>> >
>> > But, please, don't issue a recommendation to
>> > "run ASP.NET under the System account".
>> >
>> > That's liable to get a lot of people into trouble.
>> >
>> > Getting away from having to use an account with excessive privileges
>> > is the reason why, first, the ASP.NET account was changed from
>> > System to ASPNET and then, later, to Network Service, when
>> > even ASPNET was considered to have too many privileges.
>> >
>> > That's almost as bad as running a server logged in as "Administrator".
>> >
>> >
>> >
>> >
>> >
>> > Juan T. Llibre
>> > ASP.NET MVP
>> > http://asp.net.do/foros/
>> > Foros de ASP.NET en Español
>> > Ven, y hablemos de ASP.NET...
>> > ======================
>> >
>> > "Kevin Spencer" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >> Hang on a minute guys. This is self-contradictory:
>> >>
>> >>>> It is too dangerous to run it as SYSTEM!
>> >>
>> >>> The *only* reason to change the account used for ASP.NET
>> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> >>> was to be able to run ASP.NET in a less-dangerous security context.
>> >>
>> >> In other words, it is either too dangerous to run it in as the System
>> >> account, or it is USUALLY too dangerous to run it as the System
>> >> account.
>> >> Which one is true?
>> >>
>> >> The reason I ask is that we run it as System, and have for years. Why?
>> >> Because it is our servers, and nobody else's. We are not a hosting
>> >> service. And I am in charge of the software that goes on it.
>> >>
>> >> Most executable applications run under the System account.
>> >>
>> >> --
>> >> HTH,
>> >>
>> >> Kevin Spencer
>> >> Microsoft MVP
>> >> .Net Developer
>> >> What You Seek Is What You Get.
>> >>
>> >> "Juan T. Llibre" <(E-Mail Removed)> wrote in message
>> >> news:eyrg$(E-Mail Removed)...
>> >>> re:
>> >>>>I can't emphasize this enough!
>> >>>
>> >>> Neither can I.
>> >>>
>> >>> The *only* reason to change the account used for ASP.NET
>> >>> ( from SYSTEM to ASPNET, and now to Network Service ),
>> >>> was to be able to run ASP.NET in a less-dangerous security context.
>> >>>
>> >>> It's amazing to see that this is being deliberately reverted.
>> >>>
>> >>> re:
>> >>>>Sorry for my abruptness.
>> >>>
>> >>> I thought you restrained yourself admirably!
>> >>>
>> >>> For developers to deliberately, or maybe unknowingly,
>> >>> expose themselves to security risks after a product's
>> >>> security configuration was changed to protect them,
>> >>> requires a good rap on the knuckles.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> Juan T. Llibre
>> >>> ASP.NET MVP
>> >>> http://asp.net.do/foros/
>> >>> Foros de ASP.NET en Español
>> >>> Ven, y hablemos de ASP.NET...
>> >>> ======================
>> >>>
>> >>> "Joseph MCAD" <(E-Mail Removed)> wrote in message
>> >>> news:(E-Mail Removed)...
>> >>>>
>> >>>> April 5, 2005
>> >>>>
>> >>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
>> >>>> Certified
>> >>>> Application Developer and one of the topics I happen to be certified
>> >>>> in
>> >>>> is
>> >>>> Web Applications and Security. I am not familiar with ClrProfiler,
>> >>>> but
>> >>>> I
>> >>>> HEAVILY am in doubt that it requires the System. I think that the
>> >>>> old
>> >>>> post
>> >>>> was just doing a "quick fix". I am sure that if you were having
>> >>>> almost
>> >>>> any
>> >>>> problem on your computer, it would be fixed by using the System
>> >>>> account. For
>> >>>> this reason, I doubt that the person was really knowing what was
>> >>>> required. I
>> >>>> strongly encourage you to research further, or disconnect the
>> >>>> computer
>> >>>> from
>> >>>> the internet and from any intranet whose computers connect to the
>> >>>> internet.
>> >>>> Then immediately switch back to ASPNET as soon as you are done. I
>> >>>> can't
>> >>>> emphasize this enough! Sorry for my abruptness. Good luck!
>> >>>>
>> >>>>
>> >>>> Joseph MCAD
>> >>>>
>> >>>>
>> >>>>
>> >>>> "Zeng" wrote:
>> >>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I'm running ClrProfiler for the first time to profile my web app,
>> >>>>> and
>> >>>>> it
>> >>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>> >>>>> common
>> >>>>> language runtime - this is the time to load your test page." even
>> >>>>> after I
>> >>>>> launched my app and aspnet_wp.exe is running.
>> >>>>>
>> >>>>> Do you know what I need to do to fix it? I also found some old
>> >>>>> post, a
>> >>>>> person mentioned that I need to make sure I need to
>> >>>>> run my aspnet with system account instead. Do you know how to do
>> >>>>> this
>> >>>>> account switching?
>> >>>>>
>> >>>>> Thanks for your comment and advice.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS? torus@tpg.com.au ASP .Net 7 03-23-2007 04:00 AM
ASPNET account and NT Authentication with SQL Server -Account Locked Out ryan.d.rembaum@kp.org ASP .Net Security 4 09-15-2005 06:51 PM
How to run aspnet with system account Zeng ASP .Net 22 04-08-2005 12:40 PM
Using LogonUser API in ASP.net with an account other than ASPNet account nilapenn ASP .Net Security 3 02-14-2005 02:25 PM



Advertisments