Groups | Blog | Home
all groups > dotnet security > february 2006 >

dotnet security : Restricting Dot Net Access on a hosted server


Jeff Fink
2/24/2006 9:16:52 AM
A while back I had a customer that wanted to host a Dot Net web site on one
of my servers. We went ahead and installed v1.1, the customer was happy and
didn't seem to have any problems. Then we had a second customer who wanted
Dot Net on their web site and we found that the two users could then browse
each others sites because the ASP.NET user account needed access to both
their folders. If we put a script in to browse the hard drive, copy files,
etc it was able to pull data from the other site. Without Dot Net, we could
prevent this in IIS/NT by creating separate anonymous user accounts for the
two sites and restricting access via NTFS so that the anonymous users only
had access in the appropriate folders on the disk.

Is there a way to restrict this now in Dot Net? I have a user that wants to
put an access database on a Dot Net enabled web site and wants to make sure
no one else can get to it - including other Dot Net users on the same
server. If there is a way to prevent this, where should I be looking?

Thanks,
-Jeff

Dominick Baier [DevelopMentor]
2/24/2006 11:39:25 PM
use IIS6 and separate the apps in different worker processes with different
identities - the ACL the files appropriately

or use partial trust

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

oldbear
3/8/2006 4:56:28 AM
Hi

Another possible gatekeeper that you could use is Code Access Security - a
new security policy for each web app can restrict file access via the
FileIOPermission.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000020.asp

Hope this helps

Chris Seary



[quoted text, click to view]
Dinis Cruz
3/31/2006 11:45:22 PM
Jeff, If both those websites run with Full Trust you will need to:

- use unique accounts for the application pools and anonymous users and,
VERY IMPORTANT, you will need to change the Metabase.xml ACLS so that
members of the IIS_WPG are not able to read and decrypt the usernames
and passwords stored in there.

- change for each site the location of the "Temporary ASP.NET files"
(since it is shared)

- be careful if you have cache enabled since this folder (the one where
the pre-cached files) will be accessible by all (and in IIS 6.0 you
can't change that)

- even after these changes, you need to hope that there are no
vulnerabilities in those applications that allow malicious asp.net pages
to be uploaded to that server, or that the developers of those apps are
not malicious. Because if they are, since you are running with Full
Trust, they can upload and execute exploits on that server (i.e. attack
your server from inside).

The best thing is to run those websites in a secure partial trust
environment.

Dinis Cruz
Owasp .Net Project
www.owasp.net


[quoted text, click to view]
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about dotnet security
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
home · blog · groups Questions? Comments? Contact the dn