On Mar 4, 6:39=A0am, "LP" <no_spam@_nospam.com> wrote:
> Hi there,
>
> I'm going to be using (anonymous) impersonation on my web site so everythi=
ng
> will run under IUSR. I'm a little confused about what end-users will be ab=
le
> to do versus my app itself however. For instance, if I create a read-only
> folder, my app (running under IUSR) can read it without issue. However, I
> don't want end-users to be able to see it. Therefore, even if directory
> browsing is turned off, is there any way for end-users to be able to read
> what's in the folder since IUSR still has read permissions (or worse yet,
> write to the folder if write permissions is also on). Thanks in advance.

"LP" wrote:

> > Since your app will be accessible to the end user and under their
> > control, anything your app can access can potentially be accessed by
> > the end-user. It doesn't matter how you authentication or impersonate.
>
> > Your only defense is to not write a security vulnerability in your
> > application code to allow your security nightmare to happen.
>
> > For example, you can turn directory browsing off, but if your
> > application allows users to access CreateFile-like behavior, depending
> > on its implementation, may be vulnerable to be used as directory
> > browsing. Same thing with write permissions.
>
> > Since Web servers are designed to serve resources under its websites
> > after passing Authentication, if you want to prevent the end-user from
> > using the Web Server itself (not just your application) to read files
> > you want to hide, then do NOT put those files in directories that are
> > part of any website.
>
> Thanks for the info but I still need clarification. I don't completely
> understand how to secure my site from anonymous users if read-only means
> that not only can my app read the data (while running under IUSR), but so
> can anonymous users on the Internet. The "App_Data" folder is a good
> example. Can someone simply read this from their browser for instance (just
> by guessing a file's name) or even write to it somehow. If so then to
> protect against it, my first instinct would be to deny access to IUSR but
> then my app would have to explicitly impersonate some other valid user in
> order to access the folder. On a 3rd-party web-hosting site you would likely
> have to use your personal account for that which means securing my password
> on the server and then going through the trouble of impersonating. Moreover,
> if I understand things correctly, the ASPNET account itself ("Network
> Service" on Win2003 Server) still requires read/write to this folder (for
> various housekeeping tasks) regardless of who my app is impersontating (IUSR
> or otherwise). This all seems very complicated and therefore unlikely, i.e.,
> I assume most web sites don't lock down "App_Data" this way meaning that
> anonymous users can read its contents, is this not correct? If so then it's
> a security problem so can you elaborate on this situation? Thanks.
>
>