limit web application access to local directory?

[Michael Appelmans]

I'm trying to convince a web systems administrator to install ASP.NET on
his web server so I can host a dynamic departmental web site on it. Does
anyone know of a straighforward writeup of what it takes (machine.config
and NTFS file permissions) to limit an anonymous asp.net application to
a specific directory and subdirs so he doesn't have to worry about my
aspx pages wreaking havoc on his server? I am still studying the MS docs
but there are so many details and permutations.

Thanks for any help on this.

Michael

[richlm]

A couple of things you can do:

1. change the anonymous account for the web site through
IIS, to a new one you create just for this purpose. Then
set NTFS perms on appropriate folders.

2. change the account under which ASP.NET runs; see
[url]http://msdn.microsoft.com/library/default.asp?[/url]
url=/library/en-us/dnnetsec/html/SecNetHT01.asp
Not strictly necessary in your scenario. It defaults to
the least prvilieged ASPNET local account anyway.

You might also find 'food for thought' in MS patterns &
practices book "Building Secure Microsoft ASP.NET
Applications" at:

[url]http://msdn.microsoft.com/library/default.asp?[/url]
url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

>-----Original Message-----
>
>I'm trying to convince a web systems administrator to

install ASP.NET on

>his web server so I can host a dynamic departmental web

site on it. Does

>anyone know of a straighforward writeup of what it takes

(machine.config

>and NTFS file permissions) to limit an anonymous asp.net

application to

>a specific directory and subdirs so he doesn't have to

worry about my

>aspx pages wreaking havoc on his server? I am still

studying the MS docs

>but there are so many details and permutations.
>
>Thanks for any help on this.
>
>Michael
>.
>

[Michael Appelmans]

Thanks Rich, I found what I was looking for in that patterns book you
suggested.

Specifically set the trust level in the machine.config file
<location path="sitepath" allowOverride="false">
<trust level="low" originUrl="siteUrl" />
</location>
which in turn invokes
<IPermission
class="FileIOPermission"
version="1"
Read="$AppDir$"
PathDiscovery="$AppDir$"
/>
in the web_lowtrust.config file to limit the web applications access to
the local dir and allowOverride= "false" prevents overidding the
settings in the local web.config file. The low trust level also prevents
ASP.NET from calling out to unmanaged code.

I guess this coupled with NTFS file permissions ought to do the trick.

Thanks again.

Michael

In article <028501c37fc0$c63b4f90$a401280a@phx.gbl>, [email]richlm@itcoaches.dk[/email]
says...

> A couple of things you can do:
>
> 1. change the anonymous account for the web site through
> IIS, to a new one you create just for this purpose. Then
> set NTFS perms on appropriate folders.
>
> 2. change the account under which ASP.NET runs; see
> [url]http://msdn.microsoft.com/library/default.asp?[/url]
> url=/library/en-us/dnnetsec/html/SecNetHT01.asp
> Not strictly necessary in your scenario. It defaults to
> the least prvilieged ASPNET local account anyway.
>
> You might also find 'food for thought' in MS patterns &
> practices book "Building Secure Microsoft ASP.NET
> Applications" at:
>
> [url]http://msdn.microsoft.com/library/default.asp?[/url]
> url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp
>
>

> >-----Original Message-----
> >
> >I'm trying to convince a web systems administrator to

> install ASP.NET on

> >his web server so I can host a dynamic departmental web

> site on it. Does

> >anyone know of a straighforward writeup of what it takes

> (machine.config

> >and NTFS file permissions) to limit an anonymous asp.net

> application to

> >a specific directory and subdirs so he doesn't have to

> worry about my

> >aspx pages wreaking havoc on his server? I am still

> studying the MS docs

> >but there are so many details and permutations.
> >
> >Thanks for any help on this.
> >
> >Michael
> >.
> >

>