IIS Server Security - IIS metabase permissions when creating new VirDir's

Author

IIS metabase permissions when creating new VirDir's

Tony D

2005-03-18, 5:56 pm

Hi,

Theoretical, architecture-type question here:
-=-
If one wants to have an Asp.Net app programmatically create new VirDir's,
how should you implement this? Open the doors wide-open to the ASPNET user
account? (not!)

Some Background:
-=-
We have an Asp.Net app that we ported from Asp/VB6. It allowed anonymous
IIS users to create new web-sites on-the-fly. Obviously, our app ensures
that only users who are registered and correctly logged-in can do this. My
point is that as far as IIS is concerned, users are anonymous.

In the old Asp/VB6 world, this worked because the Asp pages would call the
COM+ components, which impersonated as a local machine account. We ensured
the local machine account had enough permissions to:
- access the appropriate part(s) of the file system to make the new web-site
- access the approprate part(s) of the IIS metabase

Correct me if I'm wrong, but the way I understand impersonation works in
..Net isn't the same: it will only work if you use Windows Authentication
under IIS, and will then only impersonate the logged-in user. In our app, we
can't use Windows Authentication.

We can make the new .Net code work if we allow the ASPNET user access to the
resources I described above, but we would like a better solution. My thought
is to have the Aspx page create an MSMQ message, asking to create the new
VirDir. We already have a daemon process written in C# that monitors MSMQ,
and it runs with LOCALSYSTEM privs, so it could get the job done.

What is Microsoft's recommendation on this?

--
- Tony D

Jason Brown [MSFT]

2005-03-20, 2:51 am

The queue idea is a good one, but possibly overkill. You could run the
individual script or virtual directory under the context of a different user
account, but you'd need to be careful of who can access it, by requiring
authentication and locking down the script with NTFS.

I'd also recommend you take care and backup before changes, and have a
protocol sorted out for rolling back changes, just in case.

--
Jason Brown
Microsoft GTSC, IIS

This posting is provided "AS IS" with no warranties, and confers no rights.

"Tony D" <TonyD@discussions.microsoft.com> wrote in message
news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
> Hi,
>
> Theoretical, architecture-type question here:
> -=-
> If one wants to have an Asp.Net app programmatically create new VirDir's,
> how should you implement this? Open the doors wide-open to the ASPNET
> user
> account? (not!)
>
> Some Background:
> -=-
> We have an Asp.Net app that we ported from Asp/VB6. It allowed anonymous
> IIS users to create new web-sites on-the-fly. Obviously, our app ensures
> that only users who are registered and correctly logged-in can do this.
> My
> point is that as far as IIS is concerned, users are anonymous.
>
> In the old Asp/VB6 world, this worked because the Asp pages would call the
> COM+ components, which impersonated as a local machine account. We
> ensured
> the local machine account had enough permissions to:
> - access the appropriate part(s) of the file system to make the new
> web-site
> - access the approprate part(s) of the IIS metabase
>
> Correct me if I'm wrong, but the way I understand impersonation works in
> .Net isn't the same: it will only work if you use Windows Authentication
> under IIS, and will then only impersonate the logged-in user. In our app,
> we
> can't use Windows Authentication.
>
> We can make the new .Net code work if we allow the ASPNET user access to
> the
> resources I described above, but we would like a better solution. My
> thought
> is to have the Aspx page create an MSMQ message, asking to create the new
> VirDir. We already have a daemon process written in C# that monitors
> MSMQ,
> and it runs with LOCALSYSTEM privs, so it could get the job done.
>
> What is Microsoft's recommendation on this?
>
> --
> - Tony D

Tony D

2005-03-21, 6:02 pm

Thank you for your answer.

Could you please give an example of how to run a Virtual Directory under a
different user context?

I know that the constructor for System.DirectoryServices.DirectoryEntry
takes an AuthenticationType parameter. Is this what you mean?

- Tony

"Jason Brown [MSFT]" wrote:

> The queue idea is a good one, but possibly overkill. You could run the
> individual script or virtual directory under the context of a different user
> account, but you'd need to be careful of who can access it, by requiring
> authentication and locking down the script with NTFS.
>
> I'd also recommend you take care and backup before changes, and have a
> protocol sorted out for rolling back changes, just in case.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Tony D" <TonyD@discussions.microsoft.com> wrote in message
> news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
>
>
>

Jason Brown [MSFT]

2005-03-21, 6:02 pm

Are you on IIS 6.0?

the way I'd probably do that would be to either lock down the file using IIS
service manager and enable windows authentication - you then run it under
the authenticated account (with impersonation enabled). You could also
create a new application pool which runs under a priveleged account, then
edit the VDir's properties in IIS service manager so that it runs under the
priveleged app pool.

--
Jason Brown
Microsoft GTSC, IIS

This posting is provided "AS IS" with no warranties, and confers no rights.

"Tony D" <TonyD@discussions.microsoft.com> wrote in message
news:EEBEF54A-9781-4718-98C8-018375692864@microsoft.com...[vbcol=seagreen]
> Thank you for your answer.
>
> Could you please give an example of how to run a Virtual Directory under a
> different user context?
>
> I know that the constructor for System.DirectoryServices.DirectoryEntry
> takes an AuthenticationType parameter. Is this what you mean?
>
> - Tony
>
>
> "Jason Brown [MSFT]" wrote:
>