ASP.net impersonation security

[spo]

Does .net impersonation have any security risks from the ntfs side of
things? We currently have our intranet apps placed on the webserver
uncompiled and I have a concern that a user can get to the code behind
pages. Is this a valid concern? Please let me know of any other security
issues you have come across in relation to impersonation, I need to prepare
an arguement for or against its use.

Thanks in advance,
~spo

[Ravichandran]

Look up the machine.config file in your %system
root%\microsoft.net\framework\version folder\config folder. This .config file
contains a section called <httpHandler>. This section provides the way that
requests are going to be handled at the web server. In this section, trace an
entry as below

<add verb="*" path="*.cs" type="System.Web.HttpForbiddenHandler"/>

This entry forbids accessing of .cs file because they are handled by the
HttpForbiddenHandler class. This way protected resources are protected from
unauthorized access by the framework. The following is an error description
if an user tries to access a forbidden resource file

This type of page is not served.
Description: The type of page you have requested is not served because it
has been explicitly forbidden.

with regards,

J.V.

"spo via DotNetMonster.com" wrote:
 

[Ken]

Hi,

No matter what user context ASP.NET is running under (default ASPNET account
or Network Service, or an impersonated account) this account will need NTFS
read permissions to be able to read the files off the hard disk to process
them.

How are you envisaging that a remote user will be able to access your .cs or
..vb source code? Via HTTP? or some other method?

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"spo via DotNetMonster.com" <DotNetMonster.com> wrote in
message news:com...
: Does .net impersonation have any security risks from the ntfs side of
: things? We currently have our intranet apps placed on the webserver
: uncompiled and I have a concern that a user can get to the code behind
: pages. Is this a valid concern? Please let me know of any other security
: issues you have come across in relation to impersonation, I need to
prepare
: an arguement for or against its use.
:
: Thanks in advance,
: ~spo

[spo]

i see the users trying to access via http(which i know is blocked), start- 

[Ken]

Start -> Run requires interactive access to the server. Do not allow the
users to logon to the server, or to logon using Terminal Services.

My Network Places requires access to a file share, or WebDAV share on the
server. You can use NTFS permissions to restrict who can access your server
via SMB or WebDAV shares.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"spo via DotNetMonster.com" <com> wrote in message
news:com...
:i see the users trying to access via http(which i know is blocked), start-
: >run "...", or via "my network places" and walk the path to the sites.