IIS Server Security - RE: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > August 2004 > RE: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author RE: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff
GD

2004-08-20, 2:51 am


We seems to have solved our problem by using the ASP config file settings.

----------------

Changed the userName to "SYSTEM" in <processModel> element in Machine.config,
restart all the IIS process from the service control panel and now it works.

See MSDN section "Authentication in ASP.NET: .NET Security Guidance" for
details.
----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----
Application identities
You are advised to run the ASP.NET application worker process
(aspnet_wp.exe) using a specifically configured account, with weaker
privileges than the default System account. This is for two main reasons.
Firstly, if security is breached, the intruder does not have administrative
access. Secondly, it allows Application Service Providers (ASPs) to run
applications using weaker accounts, so hosted applications cannot compromise
the integrity of the server computer or perform actions that require
administrative privileges.

To run the ASP worker process using a specified account, add a
<processModel> element to the root configuration file (machine.config),
located in the \WINNT\Microsoft.NET\Framework\Version\Config folder, as shown
below:

<system.web>
<processModel enable="true" username="domain\user" password="pwd"/>
</system.web>

In addition to specifying a particular user account, you can also set the
username attribute to one of two specially recognized values, "SYSTEM" and
"MACHINE". In both cases, the password attribute must be set to
"AutoGenerate", as specific credentials are not required. The "SYSTEM"
setting (which is the default) runs the worker process using the System
account, while "MACHINE" causes the worker process to run with a special
account named with an ASPNET prefix. This account is similar to the
IWAM_MACHINENAME account, used by IIS for running instances of dllhost.exe
when hosting regular ASP applications. The ASPNET account is created during
..NET installation.
----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----

Thanks anyways,
GD

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com