Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > question about IUSR_server account

Reply
Thread Tools

question about IUSR_server account

 
 
Bart
Guest
Posts: n/a
 
      03-24-2007
Thanks

"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> schreef in
bericht news:(E-Mail Removed) m...
> for ASP yes
>
> for ASP.NET (by default) no
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications
> (http://www.microsoft.com/mspress/books/9989.asp)
>
>> Thanks for explanation...
>>
>> And last point...
>> if the Windows Integrated Authentification is used and not Anonymous,
>> is
>> then the account of the user himelf used?
>> "Will Platnick" <(E-Mail Removed)> schreef in bericht
>> news:(E-Mail Removed) ups.com...
>>
>>> On Mar 24, 10:06 am, "Bart" <(E-Mail Removed)> wrote:
>>>
>>>> Thanks.
>>>> And, if you don't mind, for asp classic pages?
>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
>>>> schreef
>>>> in
>>>> berichtnews:(E-Mail Removed) soft.com...
>>>>> the account your application runs under.
>>>>>
>>>>> IIS5 default: ASPNET
>>>>> IIS6 default: NETWORK SERVICE
>>>>> -----
>>>>> Dominick Baier (http://www.leastprivilege.com)
>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
>>>>>
>>>>>> Thanks, but to be honest, it's not easy to read.
>>>>>> Can you summarize and tell me:
>>>>>> which account (obvisiouly not IUSR_server) needs then the right
>>>>>> permissions
>>>>>> for accessing aspx pages?
>>>>>> "David Wang" <(E-Mail Removed)> schreef in bericht
>>>>>> news:(E-Mail Removed) oups.com...
>>>>>>> On Mar 24, 2:47 am, "Bart" <(E-Mail Removed)> wrote:
>>>>>>>
>>>>>>>> Nothing special:
>>>>>>>> All users: read
>>>>>>>> ASPNET: read
>>>>>>>> ADministrators: full
>>>>>>>> "Will Platnick" <(E-Mail Removed)> schreef in
>>>>>>>> berichtnews:(E-Mail Removed) oglegroups.com
>>>>>>>> ...
>>>>>>>>> On Mar 22, 1:19 pm, "Bart" <(E-Mail Removed)> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> i have an asp.net webapplication using Anonymous
>>>>>>>>>> Authentification
>>>>>>>>>> (IUSR_servername) in IIS.
>>>>>>>>>> Account ASPNET is used for the aspx files.
>>>>>>>>>> There are also old asp classic pages which run without
>>>>>>>>>> problem.
>>>>>>>>>> When looking at the permissions, all pages (aspx and asp) have
>>>>>>>>>> account ASPNET set to Read and the database directory set to
>>>>>>>>>> Read/Write.
>>>>>>>>>> Nowhere i can see the account IUSR_servername; I thought
>>>>>>>>>> account
>>>>>>>>>> IUSR_servername acts as anonymous user (for the visitor of the
>>>>>>>>>> site).
>>>>>>>>>> So my question: why is it not in the permission list of the
>>>>>>>>>> asp(x)
>>>>>>>>>> pages?
>>>>>>>>>> Where and when does it act?
>>>>>>>>>> Thanks for explanation
>>>>>>>>>> Bart
>>>>>>>>> Bart,
>>>>>>>>> What other users have permissions? If you post, we can make
>>>>>>>>> recommendations on locking them down.- Hide quoted text -
>>>>>>>> - Show quoted text -
>>>>>>>>
>>>>>>> http://blogs.msdn.com/david.wang/arc.../IIS_User_Iden
>>>>>>> tity _to_Run_Code_Part_2.aspx
>>>>>>>
>>>>>>> //David
>>>>>>> http://w3-4u.blogspot.com
>>>>>>> http://blogs.msdn.com/David.Wang
>>>>>>> //
>>> Bart,
>>> ASP pages run as the IUSR, but IUSR user is probably in "all users"
>>> group (did you mean Everyone by any chance), which is why it is
>>> executing. Definitely a security risk. When I setup sites, I copy
>>> the existing permissions on the root, and then set Administrators and
>>> System as full, then go assign iusr or .net user permissions
>>> depending...

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TRANSFER 300$ To Your EFT Account By Just ONE CLICK From OTHER Account hollywood C Programming 0 10-23-2010 06:52 PM
TRANSFER 300$ To Your EFT Account By Just ONE CLICK From OTHER Account hollywood Python 0 10-23-2010 06:52 PM
question about IUSR_server and security Dan ASP .Net Security 4 02-14-2007 07:20 AM
How could I use NTL account to work with Freeserve account? Rajinder Nijjhar Computer Support 5 03-21-2006 07:39 PM
Converting AIM Account 2 AOL Account? Computer Support 7 08-28-2004 12:14 AM



Advertisments