Security Issues with ASP.Net

Sanjay Poojari · Sanjay Poojari

Hi All,

Need some advice on some of the security issues in my ASP.Net application.
There are certain tasks that I need to implement so need advice/guidance on
them as well as safeguards that I should implement. The application would
be typically running on Windows Server 2003 with IIS6 with .Net framework
1.1

1. My application saves its settings to the registry. I know that by
default the Aspnet user does not have rights to edit the registry. My
Workaround is that I changed the user in processmodel from "machine" to
"SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to
explicitly grant full rights to the aspnet user to the registry.

Somehow I feel that this solution is not a good one and has the potential
for making the web server unsafe. Any other solutions/workarounds for this
problem?

2. My application needs to read/write/create directories from the file
system on the webserver. I have to explicitly grant the aspnet user full
access to the directories in question. Any other elegant solution to this
issue?

Also, in Windows Server 2003, this does not work if the directory is located
inside the "Program Files" directory. Does not work even when the aspnet
user is added to the Administrators group. Why could this be happening?

Any suggestions/pointers would be appreciated.

Thanks in advance,
Sanjay

Sanjay Poojari · Sanjay Poojari

Hi All,

Need some advice on some of the security issues in my ASP.Net application.
There are certain tasks that I need to implement so need advice/guidance on
them as well as safeguards that I should implement. The application would
be typically running on Windows Server 2003 with IIS6 with .Net framework
1.1

1. My application saves its settings to the registry. I know that by
default the Aspnet user does not have rights to edit the registry. My
Workaround is that I changed the user in processmodel from "machine" to
"SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to
explicitly grant full rights to the aspnet user to the registry.

Somehow I feel that this solution is not a good one and has the potential
for making the web server unsafe. Any other solutions/workarounds for this
problem?

2. My application needs to read/write/create directories from the file
system on the webserver. I have to explicitly grant the aspnet user full
access to the directories in question. Any other elegant solution to this
issue?

Also, in Windows Server 2003, this does not work if the directory is located
inside the "Program Files" directory. Does not work even when the aspnet
user is added to the Administrators group. Why could this be happening?

Any suggestions/pointers would be appreciated.

Thanks in advance,
Sanjay

Kevin Spencer · Kevin Spencer

Most executable programs you run use the local System account to run.
ASP.Net is no different. There is no Security risk unless some hostile
person can somehow take control of your ASP.Net app. The aspnet user account
is more useful if you are, for example, a hosting service, and of course,
you don't want to grant blanket access to the entire machine to all of your
hosting clients.
--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
[url]http://www.takempis.com[/url]
Big things are made up of
lots of little things.

"Sanjay Poojari" <sanjay@rheal.com> wrote in message
news:%23Hds2q3TDHA.1624@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> Need some advice on some of the security issues in my ASP.Net application.
> There are certain tasks that I need to implement so need advice/guidance

on

> them as well as safeguards that I should implement. The application would
> be typically running on Windows Server 2003 with IIS6 with .Net framework
> 1.1
>
> 1. My application saves its settings to the registry. I know that by
> default the Aspnet user does not have rights to edit the registry. My
> Workaround is that I changed the user in processmodel from "machine" to
> "SYSTEM" in the machine.config file. Also in case of 2003 Server, I have

to

> explicitly grant full rights to the aspnet user to the registry.
>
> Somehow I feel that this solution is not a good one and has the potential
> for making the web server unsafe. Any other solutions/workarounds for

this

> problem?
>
> 2. My application needs to read/write/create directories from the file
> system on the webserver. I have to explicitly grant the aspnet user full
> access to the directories in question. Any other elegant solution to this
> issue?
>
> Also, in Windows Server 2003, this does not work if the directory is

located

> inside the "Program Files" directory. Does not work even when the aspnet
> user is added to the Administrators group. Why could this be happening?
>
> Any suggestions/pointers would be appreciated.
>
> Thanks in advance,
> Sanjay
>
>

Kevin Spencer · Kevin Spencer

Most executable programs you run use the local System account to run.
ASP.Net is no different. There is no Security risk unless some hostile
person can somehow take control of your ASP.Net app. The aspnet user account
is more useful if you are, for example, a hosting service, and of course,
you don't want to grant blanket access to the entire machine to all of your
hosting clients.
--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
[url]http://www.takempis.com[/url]
Big things are made up of
lots of little things.

"Sanjay Poojari" <sanjay@rheal.com> wrote in message
news:%23Hds2q3TDHA.1624@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> Need some advice on some of the security issues in my ASP.Net application.
> There are certain tasks that I need to implement so need advice/guidance

on

> them as well as safeguards that I should implement. The application would
> be typically running on Windows Server 2003 with IIS6 with .Net framework
> 1.1
>
> 1. My application saves its settings to the registry. I know that by
> default the Aspnet user does not have rights to edit the registry. My
> Workaround is that I changed the user in processmodel from "machine" to
> "SYSTEM" in the machine.config file. Also in case of 2003 Server, I have

to

> explicitly grant full rights to the aspnet user to the registry.
>
> Somehow I feel that this solution is not a good one and has the potential
> for making the web server unsafe. Any other solutions/workarounds for

this

> problem?
>
> 2. My application needs to read/write/create directories from the file
> system on the webserver. I have to explicitly grant the aspnet user full
> access to the directories in question. Any other elegant solution to this
> issue?
>
> Also, in Windows Server 2003, this does not work if the directory is

located

> inside the "Program Files" directory. Does not work even when the aspnet
> user is added to the Administrators group. Why could this be happening?
>
> Any suggestions/pointers would be appreciated.
>
> Thanks in advance,
> Sanjay
>
>

Sanjay Poojari · Sanjay Poojari

Thanks Kevin!

Sanjay

"Kevin Spencer" <kevin@takempis.com> wrote in message
news:#clt4Q4TDHA.1864@TK2MSFTNGP11.phx.gbl...

> Most executable programs you run use the local System account to run.
> ASP.Net is no different. There is no Security risk unless some hostile

Sanjay Poojari · Sanjay Poojari

Thanks Kevin!

Sanjay

"Kevin Spencer" <kevin@takempis.com> wrote in message
news:#clt4Q4TDHA.1864@TK2MSFTNGP11.phx.gbl...

> Most executable programs you run use the local System account to run.
> ASP.Net is no different. There is no Security risk unless some hostile

Security Issues with ASP.Net

Thread Tools

Display

Security Issues with ASP.Net

Similar Questions and Discussions

Administering Security Issues

asp.net + unmanaged dll security issues

Security issues

Database Security Issues

Summary of security issues?

Security Issues with ASP.Net

Re: Security Issues with ASP.Net

Re: Security Issues with ASP.Net

Re: Security Issues with ASP.Net

Re: Security Issues with ASP.Net

Posting Permissions