| Groups | Blog | Home |
asp.net security : Internet Explorer zones do not have secure settings for some users
Security Analyzer question but I'm hoping someone here would have come across this. I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on Win 2k3 we've developed with .Net but we're getting a Servere Risk with the IE Zones for the ASPNET account. The message is: Some or all of the user settings for the following zones are below the recommended level. User: XXXX\ASPNET Zone: Internet Level: High (Custom) Recommended Level: High Anyone come across this before? If so, is there a method to close this issue? I've done a few searches but I can't find anything so if not, has MS addressed any concerns this error might raise? Cheers for any answers you can provide,
Thanks for your prompt and thorough reply.
Yes, we are running IIS in v5 compatible mode, so we need to take the time to get our app running properly with v6. It was the non-interactive local account that caused us worries. We've corrected our other service accounts. Otherwise, the server is a new clean install. Cheers, Jason. [quoted text, click to view] "Steven Cheng [MSFT]" wrote:
> Hi Jason, > > From your description, the Baseline Analyzer is reporting warning against > the machine\ASPNET account since its internet zone setting doesn't fit the > expected level. I haven't used the baseline tool much, have you checked to > see whether the analyzer has any account specific customization options to > control such validation? > > Based on my understanding, machine\ASPNET is a non-interactive local > account. It is the default ASP.NET process account for IIS5. For WINDOWS > 2K3 IIS6, the default service account should be "Network Service" unless > you configure IIS6 to run as IIS5 compatible mode. Is this the case? If > you're not using IIS 5 compaitble mode, MACHINE\ASPNET account is not used > by ASP.NET, you can try disabing it to see whether the warning will be > eliminated. > > BTW, do you know whether there has been any parituclar changes on the > server which may have customized the internet zone level of all the > accounts? > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg@microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > ================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > >Thread-Topic: Internet Explorer zones do not have secure settings for some > users > >thread-index: Acij2WDCPMPR2o4HRvCIc2DJ0P26Sg== > >X-WBNR-Posting-Host: 84.233.152.66 > >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam> > >Subject: Internet Explorer zones do not have secure settings for some users > >Date: Mon, 21 Apr 2008 10:59:00 -0700 > > >I'm not really sure where this should be posted as this is a Baseline > >Security Analyzer question but I'm hoping someone here would have come > across > >this. > > > >I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on > >Win 2k3 we've developed with .Net but we're getting a Servere Risk with > the > >IE Zones for the ASPNET account. > > > >The message is: > >Some or all of the user settings for the following zones are below the > >recommended level. > >User: XXXX\ASPNET > >Zone: Internet > >Level: High (Custom) > >Recommended Level: High > > > >Anyone come across this before? If so, is there a method to close this > >issue? I've done a few searches but I can't find anything so if not, has > MS > >addressed any concerns this error might raise? > > > >Cheers for any answers you can provide, > > > >Jason. > > >
Hi Jason,
From your description, the Baseline Analyzer is reporting warning against the machine\ASPNET account since its internet zone setting doesn't fit the expected level. I haven't used the baseline tool much, have you checked to see whether the analyzer has any account specific customization options to control such validation? Based on my understanding, machine\ASPNET is a non-interactive local account. It is the default ASP.NET process account for IIS5. For WINDOWS 2K3 IIS6, the default service account should be "Network Service" unless you configure IIS6 to run as IIS5 compatible mode. Is this the case? If you're not using IIS 5 compaitble mode, MACHINE\ASPNET account is not used by ASP.NET, you can try disabing it to see whether the warning will be eliminated. BTW, do you know whether there has been any parituclar changes on the server which may have customized the internet zone level of all the accounts? Sincerely, Steven Cheng Microsoft MSDN Online Support Lead Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- [quoted text, click to view] >Thread-Topic: Internet Explorer zones do not have secure settings for some
users >thread-index: Acij2WDCPMPR2o4HRvCIc2DJ0P26Sg== >X-WBNR-Posting-Host: 84.233.152.66 >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam> >Subject: Internet Explorer zones do not have secure settings for some users >Date: Mon, 21 Apr 2008 10:59:00 -0700 >I'm not really sure where this should be posted as this is a Baseline >Security Analyzer question but I'm hoping someone here would have come across >this. > >I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on >Win 2k3 we've developed with .Net but we're getting a Servere Risk with the >IE Zones for the ASPNET account. > >The message is: >Some or all of the user settings for the following zones are below the >recommended level. >User: XXXX\ASPNET >Zone: Internet >Level: High (Custom) >Recommended Level: High > >Anyone come across this before? If so, is there a method to close this >issue? I've done a few searches but I can't find anything so if not, has MS >addressed any concerns this error might raise? > >Cheers for any answers you can provide, > >Jason. >
Thanks for your reply Jason,
How about deleting the user profile of the MACHINE\ASPNET account? #How to delete a user profile in Windows Server 2003 http://support.microsoft.com/kb/814584 and for ASP.NET 2.0, you can use the aspnet_regiis.exe to regrant the proper permissions for it. #ASP.NET IIS Registration Tool (Aspnet_regiis.exe) http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx You can try this to see whether it can help also reset the internet security zone level to the proper value. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- [quoted text, click to view] >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam>
>References: <8FE53475-5EF1-41AC-AB9C-FE6BC1A72757@microsoft.com> <KOhDZNCpIHA.2252@TK2MSFTNGHUB02.phx.gbl> >Subject: RE: Internet Explorer zones do not have secure settings for some u >Date: Tue, 22 Apr 2008 00:50:00 -0700 > >Thanks for your prompt and thorough reply. > >Yes, we are running IIS in v5 compatible mode, so we need to take the time >to get our app running properly with v6. It was the non-interactive local >account that caused us worries. We've corrected our other service accounts. > >Otherwise, the server is a new clean install. > >Cheers, > >Jason. > >"Steven Cheng [MSFT]" wrote: > >> Hi Jason, >> >> From your description, the Baseline Analyzer is reporting warning against >> the machine\ASPNET account since its internet zone setting doesn't fit the >> expected level. I haven't used the baseline tool much, have you checked to >> see whether the analyzer has any account specific customization options to >> control such validation? >> >> Based on my understanding, machine\ASPNET is a non-interactive local >> account. It is the default ASP.NET process account for IIS5. For WINDOWS >> 2K3 IIS6, the default service account should be "Network Service" unless >> you configure IIS6 to run as IIS5 compatible mode. Is this the case? If >> you're not using IIS 5 compaitble mode, MACHINE\ASPNET account is not used >> by ASP.NET, you can try disabing it to see whether the warning will be >> eliminated. >> >> BTW, do you know whether there has been any parituclar changes on the >> server which may have customized the internet zone level of all the >> accounts? >> >> Sincerely, >> >> Steven Cheng >> >> Microsoft MSDN Online Support Lead >> >> >> Delighting our customers is our #1 priority. We welcome your comments and >> suggestions about how we can improve the support we provide to you. Please >> feel free to let my manager know what you think of the level of service >> provided. You can send feedback directly to my manager at: >> msdnmg@microsoft.com. >> >> ================================================== >> Get notification to my posts through email? Please refer to >> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif >> ications. >> >> ================================================== >> This posting is provided "AS IS" with no warranties, and confers no rights. >> >> -------------------- >> >Thread-Topic: Internet Explorer zones do not have secure settings for some >> users >> >thread-index: Acij2WDCPMPR2o4HRvCIc2DJ0P26Sg== >> >X-WBNR-Posting-Host: 84.233.152.66 >> >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam> >> >Subject: Internet Explorer zones do not have secure settings for some users >> >Date: Mon, 21 Apr 2008 10:59:00 -0700 >> >> >I'm not really sure where this should be posted as this is a Baseline >> >Security Analyzer question but I'm hoping someone here would have come >> across >> >this. >> > >> >I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on >> >Win 2k3 we've developed with .Net but we're getting a Servere Risk with >> the >> >IE Zones for the ASPNET account. >> > >> >The message is: >> >Some or all of the user settings for the following zones are below the >> >recommended level. >> >User: XXXX\ASPNET >> >Zone: Internet >> >Level: High (Custom) >> >Recommended Level: High >> > >> >Anyone come across this before? If so, is there a method to close this >> >issue? I've done a few searches but I can't find anything so if not, has >> MS >> >addressed any concerns this error might raise? >> > >> >Cheers for any answers you can provide, >> > >> >Jason. >> > >> >> >
Thanks for your reply. Once we remove the need for v5 isolation mode, we'll
delete or disable the user. Cheers, Jason. [quoted text, click to view] "Steven Cheng [MSFT]" wrote:
> Thanks for your reply Jason, > > How about deleting the user profile of the MACHINE\ASPNET account? > > #How to delete a user profile in Windows Server 2003 > http://support.microsoft.com/kb/814584 > > and for ASP.NET 2.0, you can use the aspnet_regiis.exe to regrant the > proper permissions for it. > > #ASP.NET IIS Registration Tool (Aspnet_regiis.exe) > http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx > > You can try this to see whether it can help also reset the internet > security zone level to the proper value. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg@microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > ================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam> > >References: <8FE53475-5EF1-41AC-AB9C-FE6BC1A72757@microsoft.com> > <KOhDZNCpIHA.2252@TK2MSFTNGHUB02.phx.gbl> > >Subject: RE: Internet Explorer zones do not have secure settings for some u > >Date: Tue, 22 Apr 2008 00:50:00 -0700 > > > > >Thanks for your prompt and thorough reply. > > > >Yes, we are running IIS in v5 compatible mode, so we need to take the time > >to get our app running properly with v6. It was the non-interactive local > >account that caused us worries. We've corrected our other service > accounts. > > > >Otherwise, the server is a new clean install. > > > >Cheers, > > > >Jason. > > > >"Steven Cheng [MSFT]" wrote: > > > >> Hi Jason, > >> > >> From your description, the Baseline Analyzer is reporting warning > against > >> the machine\ASPNET account since its internet zone setting doesn't fit > the > >> expected level. I haven't used the baseline tool much, have you checked > to > >> see whether the analyzer has any account specific customization options > to > >> control such validation? > >> > >> Based on my understanding, machine\ASPNET is a non-interactive local > >> account. It is the default ASP.NET process account for IIS5. For WINDOWS > >> 2K3 IIS6, the default service account should be "Network Service" unless > >> you configure IIS6 to run as IIS5 compatible mode. Is this the case? If > >> you're not using IIS 5 compaitble mode, MACHINE\ASPNET account is not > used > >> by ASP.NET, you can try disabing it to see whether the warning will be > >> eliminated. > >> > >> BTW, do you know whether there has been any parituclar changes on the > >> server which may have customized the internet zone level of all the > >> accounts? > >> > >> Sincerely, > >> > >> Steven Cheng > >> > >> Microsoft MSDN Online Support Lead > >> > >> > >> Delighting our customers is our #1 priority. We welcome your comments > and > >> suggestions about how we can improve the support we provide to you. > Please > >> feel free to let my manager know what you think of the level of service > >> provided. You can send feedback directly to my manager at: > >> msdnmg@microsoft.com. > >> > >> ================================================== > >> Get notification to my posts through email? Please refer to > >> > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > >> ications. > >> > >> ================================================== > >> This posting is provided "AS IS" with no warranties, and confers no > rights. > >> > >> -------------------- > >> >Thread-Topic: Internet Explorer zones do not have secure settings for > some > >> users > >> >thread-index: Acij2WDCPMPR2o4HRvCIc2DJ0P26Sg== > >> >X-WBNR-Posting-Host: 84.233.152.66 > >> >From: =?Utf-8?B?SmFzb24=?= <job2@nospam.nospam> > >> >Subject: Internet Explorer zones do not have secure settings for some > users > >> >Date: Mon, 21 Apr 2008 10:59:00 -0700 > >> > >> >I'm not really sure where this should be posted as this is a Baseline > >> >Security Analyzer question but I'm hoping someone here would have come > >> across > >> >this. > >> > > >> >I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app > on > >> >Win 2k3 we've developed with .Net but we're getting a Servere Risk with > >> the > >> >IE Zones for the ASPNET account. > >> > > >> >The message is: > >> >Some or all of the user settings for the following zones are below the > >> >recommended level. > >> >User: XXXX\ASPNET > >> >Zone: Internet > >> >Level: High (Custom) > >> >Recommended Level: High > >> > > >> >Anyone come across this before? If so, is there a method to close this > >> >issue? I've done a few searches but I can't find anything so if not, > has > >> MS > >> >addressed any concerns this error might raise? > >> > > >> >Cheers for any answers you can provide, > >> > > >> >Jason. > >> > > >> > >> > > >
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |