Ask a Question related to ASP.NET Security, Design and Development.
-
FARID #1
ASP.NET hosting & MS Access
We are trying to offer free ASP & ASP.NET hosting. I read alot of articles
and documentation in order to setup and offer ASP.NET and MS Access. Based
of what I read, MS Access requires FullTrust in order to work. Providing
fullTrust will be very risky in the ISP environment. In there anyway to lock
an application in it's directory and prevent accessing other customers data
while keeping MS Access support.
Please help.
Run each site in a separate application pool will not be an option because
we have to create thousands of application pools.
thanks alot
FARID Guest
-
ASP Hosting
can anyone recommend a reasonably priced hosting company that allows hosting of multiple sites (with their own domains) under 1 account? I am... -
MS SQL hosting in UK
I work in house so I'm used to having all my servers to hand. Now I've had a offer to do some independent freelance work making a fairly straight... -
Important: Web Hosting from $2.95/m - Reseller Hosting from $9.95/m
::*CRUCIAL PARADIGM *:: * AFFORDABLE, RELIABLE, PROFESSIONAL WEB SOLUTIONS *Linux Hosting * ' Compare Plans'... -
is it possible to block access to system.management.interface in shared hosting?
I want to be able to block ASP.net calls to WMI in a win2003 shared hosting environment and can't seem to find instructions on how to do this. Any... -
PHP hosting with remote MySQL access allowed
I am in the process of developing a client side application that needs to speak to our remote databases. Does anybody know of a hosting solution... -
Dominick Baier #2 ASP.NET hosting & MS Access
Hi,
the OleDb Provider in .NET has a full trust link-demand. the only way to use OleDb from partially trusted apps is through a sandboxed full trust assembly in the GAC...
this is some info i compiled on this topic:
[url]http://www.leastprivilege.com/PermaLink.aspx?guid=96a0e4af-7996-4e6a-b9fd-78ab8c0b29b5[/url]
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl>
We are trying to offer free ASP & ASP.NET hosting. I read alot of articles
and documentation in order to setup and offer ASP.NET and MS Access. Based
of what I read, MS Access requires FullTrust in order to work. Providing
fullTrust will be very risky in the ISP environment. In there anyway to lock
an application in it's directory and prevent accessing other customers data
while keeping MS Access support.
Please help.
Run each site in a separate application pool will not be an option because
we have to create thousands of application pools.
thanks alot
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
-
Daniel Fisher\(lennybacon\) #3 Re: ASP.NET hosting & MS Access
By default
But you can allow OleDB in a Custom or the Internet PermissionSet.>> MS Access requires FullTrust
--
Daniel Fisher(lennybacon)
MCP C# ASP.NET
Blog: [url]http://www.lennybacon.com/[/url]
"FARID" <farid.almoqayed@xpandcorp.com> wrote in message
news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> We are trying to offer free ASP & ASP.NET hosting. I read alot of articles
> and documentation in order to setup and offer ASP.NET and MS Access. Based
> of what I read, MS Access requires FullTrust in order to work. Providing
> fullTrust will be very risky in the ISP environment. In there anyway to
> lock
> an application in it's directory and prevent accessing other customers
> data
> while keeping MS Access support.
> Please help.
> Run each site in a separate application pool will not be an option because
> we have to create thousands of application pools.
>
> thanks alot
>
>
Daniel Fisher\(lennybacon\) Guest
-
Daniel Fisher\(lennybacon\) #4 ASP.NET hosting & MS Access
Yep, Dominick!
--
Daniel Fisher(lennybacon)
MCP C# ASP.NET
Blog: [url]http://www.lennybacon.com/[/url]
Daniel Fisher\(lennybacon\) Guest
-
Dominick Baier #5 Re: ASP.NET hosting & MS Access
yes, i know....but you need full trust to call the library (full trust link deman)
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<OzbpfZ$pEHA.3012@TK2MSFTNGP10.phx.gbl>
By defaultBut you can allow OleDB in a Custom or the Internet PermissionSet.>> MS Access requires FullTrust
--
Daniel Fisher(lennybacon)
MCP C# ASP.NET
Blog: [url]http://www.lennybacon.com/[/url]
"FARID" <farid.almoqayed@xpandcorp.com> wrote in message
news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> We are trying to offer free ASP & ASP.NET hosting. I read alot of articles
> and documentation in order to setup and offer ASP.NET and MS Access. Based
> of what I read, MS Access requires FullTrust in order to work. Providing
> fullTrust will be very risky in the ISP environment. In there anyway to
> lock
> an application in it's directory and prevent accessing other customers
> data
> while keeping MS Access support.
> Please help.
> Run each site in a separate application pool will not be an option because
> we have to create thousands of application pools.
>
> thanks alot
>
>
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
-
-
FARID #7 Re: ASP.NET hosting & MS Access
Thank you all for youe reply.
My understanding was the OLE DB and ODBC data resources demand full trust.
We can't use a custom policy.
In ISP environment, how can we allow users to use OLE DB and ODBC data
resources and at the same time lock
an application in it's directory??
How can we sandbox the resources?
Would you please send me a sample code with instruction how to configure the
web server?
Thanks alot
"Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
message news:OzbpfZ$pEHA.3012@TK2MSFTNGP10.phx.gbl...articles> By default>> >> MS Access requires FullTrust
> But you can allow OleDB in a Custom or the Internet PermissionSet.
>
> --
> Daniel Fisher(lennybacon)
> MCP C# ASP.NET
> Blog: [url]http://www.lennybacon.com/[/url]
>
>
>
> "FARID" <farid.almoqayed@xpandcorp.com> wrote in message
> news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> > We are trying to offer free ASP & ASP.NET hosting. I read alot ofBased> > and documentation in order to setup and offer ASP.NET and MS Access.because> > of what I read, MS Access requires FullTrust in order to work. Providing
> > fullTrust will be very risky in the ISP environment. In there anyway to
> > lock
> > an application in it's directory and prevent accessing other customers
> > data
> > while keeping MS Access support.
> > Please help.
> > Run each site in a separate application pool will not be an option>> > we have to create thousands of application pools.
> >
> > thanks alot
> >
> >
>
FARID Guest
-
Dominick Baier #8 Re: ASP.NET hosting & MS Access
Hi,
you are right - they demand full trust - so you will have problems with this scenario -
the only way to let a partial trust web app access OLEDB sources is through an intermediate full trust code in the GAC -
the only effective way to isolate full trust apps is to -
- give each webapp a different worker process
- use a different account for each worker process
- ACL everything for the specific worker process account - not IIS_WPG
- Set ACLs on the Metabase (so that a worker process cannot read the anonymous account and pwd from another app pool e.g.)
- Give every web app an individual temporary assemblies folder
a.s.o.
for links (especially to the threats and countermeasures paper and OWASP) consult this summary i wrote
[url]http://www.leastprivilege.com/PermaLink.aspx?guid=96a0e4af-7996-4e6a-b9fd-78ab8c0b29b5[/url]
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<uw#PVNuqEHA.3288@TK2MSFTNGP12.phx.gbl>
Thank you all for youe reply.
My understanding was the OLE DB and ODBC data resources demand full trust.
We can't use a custom policy.
In ISP environment, how can we allow users to use OLE DB and ODBC data
resources and at the same time lock
an application in it's directory??
How can we sandbox the resources?
Would you please send me a sample code with instruction how to configure the
web server?
Thanks alot
"Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
message news:OzbpfZ$pEHA.3012@TK2MSFTNGP10.phx.gbl...articles> By default>> >> MS Access requires FullTrust
> But you can allow OleDB in a Custom or the Internet PermissionSet.
>
> --
> Daniel Fisher(lennybacon)
> MCP C# ASP.NET
> Blog: [url]http://www.lennybacon.com/[/url]
>
>
>
> "FARID" <farid.almoqayed@xpandcorp.com> wrote in message
> news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> > We are trying to offer free ASP & ASP.NET hosting. I read alot ofBased> > and documentation in order to setup and offer ASP.NET and MS Access.because> > of what I read, MS Access requires FullTrust in order to work. Providing
> > fullTrust will be very risky in the ISP environment. In there anyway to
> > lock
> > an application in it's directory and prevent accessing other customers
> > data
> > while keeping MS Access support.
> > Please help.
> > Run each site in a separate application pool will not be an option>> > we have to create thousands of application pools.
> >
> > thanks alot
> >
> >
>
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
-
FARID #9 Re: ASP.NET hosting & MS Access
I don't want to look stupid But how can I do that.
through an intermediate full trust code in the GAC -> the only way to let a partial trust web app access OLEDB sources is
I can't create a pool for each user. In this way, I have to create> the only effective way to isolate full trust apps is to -
thousands. In there any way around that.
anonymous account and pwd from another app pool e.g.)> - give each webapp a different worker process
>
> - use a different account for each worker process
>
> - ACL everything for the specific worker process account - not IIS_WPG
>
> - Set ACLs on the Metabase (so that a worker process cannot read theconsult this summary i wrote>
> - Give every web app an individual temporary assemblies folder
>
> a.s.o.
>
> for links (especially to the threats and countermeasures paper and OWASP)[url]http://www.leastprivilege.com/PermaLink.aspx?guid=96a0e4af-7996-4e6a-b9fd-78ab8c0b29b5[/url]>
>nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<uw#PVNuqEHA.3288@TK2MSFTNGP12.phx.gbl>>
>
>
> ---
> Dominick Baier - DevelopMentor
> [url]http://www.leastprivilege.com[/url]
>
>trust.>
> Thank you all for youe reply.
>
> My understanding was the OLE DB and ODBC data resources demand fullthe> We can't use a custom policy.
> In ISP environment, how can we allow users to use OLE DB and ODBC data
> resources and at the same time lock
> an application in it's directory??
> How can we sandbox the resources?
> Would you please send me a sample code with instruction how to configureProviding> web server?
>
> Thanks alot
>
>
>
> "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
> message news:OzbpfZ$pEHA.3012@TK2MSFTNGP10.phx.gbl...> articles> > By default> >> > >> MS Access requires FullTrust
> > But you can allow OleDB in a Custom or the Internet PermissionSet.
> >
> > --
> > Daniel Fisher(lennybacon)
> > MCP C# ASP.NET
> > Blog: [url]http://www.lennybacon.com/[/url]
> >
> >
> >
> > "FARID" <farid.almoqayed@xpandcorp.com> wrote in message
> > news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> > > We are trying to offer free ASP & ASP.NET hosting. I read alot of> Based> > > and documentation in order to setup and offer ASP.NET and MS Access.> > > of what I read, MS Access requires FullTrust in order to work.to> > > fullTrust will be very risky in the ISP environment. In there anywaycustomers> > > lock
> > > an application in it's directory and prevent accessing other> because> > > data
> > > while keeping MS Access support.
> > > Please help.
> > > Run each site in a separate application pool will not be an option>> >> > > we have to create thousands of application pools.
> > >
> > > thanks alot
> > >
> > >
> >
>
>
> [microsoft.public.dotnet.framework.aspnet.security]
FARID Guest
-
Dominick Baier #10 Re: ASP.NET hosting & MS Access
i gave you a whole array of links to get smart about it.
in my blog entry i mention the Threats and Countermeasures Paper from MS patterns and practices - see chapter 9 for an example of sandboxing code in the gac.
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<Ok2zvOyqEHA.3728@TK2MSFTNGP09.phx.gbl>
I don't want to look stupid But how can I do that.through an intermediate full trust code in the GAC -> the only way to let a partial trust web app access OLEDB sources is
I can't create a pool for each user. In this way, I have to create> the only effective way to isolate full trust apps is to -
thousands. In there any way around that.
anonymous account and pwd from another app pool e.g.)> - give each webapp a different worker process
>
> - use a different account for each worker process
>
> - ACL everything for the specific worker process account - not IIS_WPG
>
> - Set ACLs on the Metabase (so that a worker process cannot read theconsult this summary i wrote>
> - Give every web app an individual temporary assemblies folder
>
> a.s.o.
>
> for links (especially to the threats and countermeasures paper and OWASP)[url]http://www.leastprivilege.com/PermaLink.aspx?guid=96a0e4af-7996-4e6a-b9fd-78ab8c0b29b5[/url]>
>nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<uw#PVNuqEHA.3288@TK2MSFTNGP12.phx.gbl>>
>
>
> ---
> Dominick Baier - DevelopMentor
> [url]http://www.leastprivilege.com[/url]
>
>trust.>
> Thank you all for youe reply.
>
> My understanding was the OLE DB and ODBC data resources demand fullthe> We can't use a custom policy.
> In ISP environment, how can we allow users to use OLE DB and ODBC data
> resources and at the same time lock
> an application in it's directory??
> How can we sandbox the resources?
> Would you please send me a sample code with instruction how to configureProviding> web server?
>
> Thanks alot
>
>
>
> "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
> message news:OzbpfZ$pEHA.3012@TK2MSFTNGP10.phx.gbl...> articles> > By default> >> > >> MS Access requires FullTrust
> > But you can allow OleDB in a Custom or the Internet PermissionSet.
> >
> > --
> > Daniel Fisher(lennybacon)
> > MCP C# ASP.NET
> > Blog: [url]http://www.lennybacon.com/[/url]
> >
> >
> >
> > "FARID" <farid.almoqayed@xpandcorp.com> wrote in message
> > news:elKB2x9pEHA.2432@TK2MSFTNGP15.phx.gbl...> > > We are trying to offer free ASP & ASP.NET hosting. I read alot of> Based> > > and documentation in order to setup and offer ASP.NET and MS Access.> > > of what I read, MS Access requires FullTrust in order to work.to> > > fullTrust will be very risky in the ISP environment. In there anywaycustomers> > > lock
> > > an application in it's directory and prevent accessing other> because> > > data
> > > while keeping MS Access support.
> > > Please help.
> > > Run each site in a separate application pool will not be an option>> >> > > we have to create thousands of application pools.
> > >
> > > thanks alot
> > >
> > >
> >
>
>
> [microsoft.public.dotnet.framework.aspnet.security]
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
