Ask a Question related to ASP.NET Security, Design and Development.
-
Pål Andreassen #1
NTFS rights not honored
Running Windows 2003 Server
Framework 1.1
A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="true" />
<authentication mode="Windows" />
I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.
How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?
--
Pål Andreassen
[email]cnny.naqernffra@gevznarg.ab[/email]
(ROT13 to reply)
Pål Andreassen Guest
-
#39073 [NEW]: safe_mode_include_dir not honored
From: jim at centerfuse dot net Operating system: FreeBSD 4.11 PHP version: 5.1.6 PHP Bug Type: Safe Mode/open_basedir Bug... -
#39073 [Opn]: safe_mode_include_dir not honored
ID: 39073 User updated by: jim at centerfuse dot net Reported By: jim at centerfuse dot net Status: Open Bug Type: ... -
NTFS permissions
I need to reset the NTFS permissions of a windows 2003 web server to the default installation permissions. What's the easiest way of doing this?... -
NTFS
How do I access my second drive in my computer that has has NTFS permissions from a previous XP installation. I formatted the primary drive an... -
how to change from NTFS to FAT 32
Hello. any one ho knows how i change from a NFTS file system to FAT 32 when i have installed a new HD. / Bjorn -
Kevin Spencer #2 Re: NTFS rights not honored
You say that everyone can see every file and folder. What you mean is that
your ASP page will DISPLAY every file and folder, do you not? The reason I
say that is, there is only ONE account under which that ASP.Net application
runs, and it is the ASP.Net worker process that is looking at the files and
folders, and displaying information about them in the browser. The user is
only looking at the browser, which doesn't require any special permission,
unless the web site itself requires a Windows login to be viewed, and even
then, that doesn't affect what user account your ASP.Net worker process is
running under. It only affects who can view that page.
--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
"Pål Andreassen" <see@signature.for.email> wrote in message
news:Xns9453731695856cnnynaqernffragevzna@207.46.2 48.16...> Running Windows 2003 Server
> Framework 1.1
>
> A site is configured to use integrated security (in IIS 6)
> Windows autentication and user impersonation in web.config
> <identity impersonate="true" />
> <authentication mode="Windows" />
>
> I've got a ASPX page that lists folders and files from a predefined
> location on the server. These folders and files have access rights set to
> them by NTFS security. The problem is that everyone can see every file
> and
> folder, even though NTFS does not permit them.
>
> How can I expose a file structure for browsing through ASP.NET and
> still honouring NTFS file rights?
>
>
> --
> Pål Andreassen
> [email]cnny.naqernffra@gevznarg.ab[/email]
> (ROT13 to reply)
Kevin Spencer Guest
-
Holly Mazerolle #3 Re: NTFS rights not honored
Since you have Impersonation set to true in the config file this means that
the IIS authenticated user will be the identity used to access resources
when the request is made. What type of authentication in IIS are you using.
If you have it set up to use anonymous then the anonymous user will be the
account who is accessing the resources. In order to get a better idea what
who is accessing what you may want to download and run filemon
([url]http://www.sysinternals.com[/url]). It will list the account that is being used
to utilize resources. Just run it while you are making a request for the
page.
This posting is provided "AS IS" with no warranties, and confers no rights.
Holly
Holly Mazerolle Guest
-
Pål Andreassen #4 Re: NTFS rights not honored
[email]hollymamsft@online.microsoft.com[/email] (Holly Mazerolle) wrote in
news:QeO4vy9wDHA.3384@cpmsftngxa07.phx.gbl:
Thanks. I've used filemon before, but did not think of it now. In IIS I'm> Since you have Impersonation set to true in the config file this means
> that the IIS authenticated user will be the identity used to access
> resources when the request is made. What type of authentication in IIS
> are you using. If you have it set up to use anonymous then the
> anonymous user will be the account who is accessing the resources. In
> order to get a better idea what who is accessing what you may want to
> download and run filemon ([url]http://www.sysinternals.com[/url]). It will list
> the account that is being used to utilize resources. Just run it while
> you are making a request for the page.
using Integrated security. Basic and anonymous is turned off.
Since I've got impersonation on in web.config I though the request would
be run as the actual logged in user, and not ASPNET.
--
Pål Andreassen
[email]cnny.naqernffra@gevznarg.ab[/email]
(ROT13 to reply)
Pål Andreassen Guest
-
Norman Rasmussen #5 Re: NTFS rights not honored
> Since I've got impersonation on in web.config I though the request would
be run as the actual logged in user, and not ASPNET.
Yes, I think is what is happening for you.
NTFS does not permit them> The problem is that everyone can see every file and folder, even though
There is a difference between being able to _see_ the file in a directory
listing and actually being able to read it. Can if you can't read the file
you can see it! You will need to check whether you can actually read the
file before showing it in the list to the user.
Norman Rasmussen Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
