IIS Server Security - Public host security questions

Author

Public host security questions - ASP.NET

Ivan Demkovitch

2004-01-29, 4:37 am

Hi!

Not 100% sure if that would be appropriate group, but here is my problem:

I'm designing portal where users will be able to upload files.
I need permissions to create/delete files in specific directories. This will
be actual .aspx and ascx files.
I wonder what model I need to use to make sure security is good.

Right now I'm giving permissions to NETWORK_SERVICE in order to be able to
create files from ASP application.

TIA

Jeff Cochran

2004-01-29, 6:38 am

On Thu, 29 Jan 2004 11:44:24 -0600, "Ivan Demkovitch" <i@a.b> wrote:

quote:

>Hi!
>
>Not 100% sure if that would be appropriate group, but here is my problem:
>
>I'm designing portal where users will be able to upload files.
>I need permissions to create/delete files in specific directories. This will
>be actual .aspx and ascx files.
>I wonder what model I need to use to make sure security is good.
>
>Right now I'm giving permissions to NETWORK_SERVICE in order to be able to
>create files from ASP application.

You would need to. Or use another account, but the effect is still
the same. Make sure your application prevents malicious entries and
only allows creatinon of predefined files.

Jeff

Ivan Demkovitch

2004-01-30, 4:35 am

Basically, I need to add permissions, but then I need to control security
within my application.
THis is fine.

But I wonder if it open up hole for let's say other users of the same
server?
They may write to this directory from their applications?

Am i correct or missing something here?

quote:

>
> You would need to. Or use another account, but the effect is still
> the same. Make sure your application prevents malicious entries and
> only allows creatinon of predefined files.
>
> Jeff