I was deploying a site today and it seemed I needed to grant read/write permissions to the site directories to system account "network service". Does that mean any other site running on this webhost (who also presumably is running as network service) could also access these files?
I tried assigning permissions to pre-created accounts created that match my domain name. That doesn't seem to be sufficient to run the site though. I receive access-denied messages unless I also grant permission to "network service".
note it turns it out was in error, I do not need to grant permissions to network service for my site to work.
note The webhosting company is running IIS on Windows.
-
Assuming this is ASP.NET on IIS
Create a dedicated AppPool for your site, and then set that AppPool to run as the pre-created accounts you had created, that should remove the reliance on Network Service needing to r/w
A guide on how to do it : http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true
fschwiet : This is a shared hosting environment. I do not have access to access pool configuration.From c10k Consulting -
If the web apps on the server are running in Medium Trust, they should be prevented from reading/writing files outside of the application's root, even with file permissions as you note. Without that, though; yes, any application running under the context of Network Service would have the ability to read and write files in your web directory.
However, a good shared web host should have the sites set up like this by default. Keep in mind that even without needing to set write permissions, if all web apps on a shared server have more than Medium trust, they would be able to read all the files in your web site - including your web.config, any source code files, all the contents of your App_Data directory, etc. Medium Trust should prevent even that reading across web application boundaries.
fschwiet : I'm sorry I don't follow you're statement. How should a good web host have things set up? This host does allow people to run at full trust as well.Andrew Barber : If they allow web sites to run in Full Trust and do not alter the identity of the application, then they are giving any other such sites at minimum read access to the files in your web directory. If you make the permissions changes you note here, they are then also giving those people read/write access to places you make such changes. If that's not a problem to you, then OK; but at least you know.fschwiet : by "in Full Trust and do not alter the identity of the application" do you mean "in full trust and running as network service"? I don't know offhand what account is used at full trust.Andrew Barber : 'Full Trust' does not have an account that it uses. The trust level of a .NET application is a separate security measure that the .NET Framework has, on top of standard Windows ACLs and such. Full trust and High trust, for example, do not restrict file system access beyond what the ACLs would. Medium trust and lower add extra security within the .NET Framework that prevents code from reading/writing to files outside of the application's root directory via, for example, the classes in System.IO. Medium Trust is made to be used in shared hosting situations like yours, but is not always perfect.fschwiet : I understand that the trust level is a different setting. So for every application, it is configured to run as a particular account at a particular trust level.fschwiet : Supposing I set my file ACLs such that only my hosting account (and not the network service account) can read or write to my files. Then I verify that hosting accounts running at full trust do not run as the network service account, but as their hosting account. This should be sufficient to prevent other users in the hosting environment from accessing the files? (given that there are no other vulnerabilities)Andrew Barber : Actually, it's slightly better (and worse) than that, fschwiet; **Better**: If you only give read/write permissions to your own unique account, and your application runs in the context of your account, it won't matter if other Full Trust applications run as Network Service. **Worse**: From your original question, it seems that they only run web apps as Network Service. However, if you can get them to run *your* app as your custom user account, and you can verify that this does not break any functionality, that would be ideal for you.fschwiet : My original understanding was wrong. I am able to run the my site without Network Service. Another problem confused me on that. -thanksFrom Andrew Barber
0 comments:
Post a Comment