|
Home > Archive > IIS Server Security > July 2006 > Network service default permissions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Network service default permissions
|
|
| Eric Chaves 2006-07-26, 1:25 pm |
| Hi folks,
I was digging around the default permission for "network service" user
and got myself quite confused. In the servers I've checked the default ACL
permission on any new folder for this user is "Read & Execute","List folder
contents" and "Read". However when I check the NTFS permissions trought the
"Advanced" button I also saw that this user has "Create Files/Write Data"
and "Create Folders/Append Data", which acording to Microsfts KBs belongs to
"Modify" and "Full Control". Is this correct?
As far as I kow the network service account should be used to run with
"minor privileges" and thus is recomended to be used for web sites, but with
this set of permissions the network service has a "Write" and "Execute"
permission. Is this safe to be used?
Cheers,
Eric.
| |
| David Wang [Msft] 2006-07-26, 7:27 pm |
| Default configuration does not allow Network Service write/create access to
the filesystem, so what you describe is configuration that you or someone
else has customized and hence responsible for.
"Is this safe to be used" cannot be answered without knowing your security
requirements. Security is never absolute black/white and always relative
shades of grey, so it "depends" on knowing more information.
File ACLs/Permissions and Privileges are two separate but interacting
concepts.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Eric Chaves" <eric.dot.chaves@agsbrasil.dot.com.dot.br> wrote in message
news:%23cEboXLsGHA.1876@TK2MSFTNGP06.phx.gbl...
> Hi folks,
>
> I was digging around the default permission for "network service" user
> and got myself quite confused. In the servers I've checked the default ACL
> permission on any new folder for this user is "Read & Execute","List
> folder contents" and "Read". However when I check the NTFS permissions
> trought the "Advanced" button I also saw that this user has "Create
> Files/Write Data" and "Create Folders/Append Data", which acording to
> Microsfts KBs belongs to "Modify" and "Full Control". Is this correct?
> As far as I kow the network service account should be used to run with
> "minor privileges" and thus is recomended to be used for web sites, but
> with this set of permissions the network service has a "Write" and
> "Execute" permission. Is this safe to be used?
>
> Cheers,
>
> Eric.
>
>
>
>
| |
| Eric Chaves 2006-07-27, 1:26 pm |
| Hi David,
Thanks for the answer, but if you don't mind I'd like to digg this
subject a little further. Maybe this isn't the best forum to ask those
questions, since the questions aren't strict iis related. I start asking
here only because "network service" is an account usually "associated" to
web services. If this post belong to somewhere else, just let me know. Also,
I'm not bringing the subject to point "flaws" or "security risks", my goal
is just get a deeper understanding of what is going on here.
> Default configuration does not allow Network Service write/create access
> to the filesystem, so what you describe is configuration that you or
> someone else has customized and hence responsible for.
What I described was found in several different Windows 2003 Server
installations and as far as I know none of those received any custom
configuration regarding ACLs, however I'll not discard this possibility. I
belive it was a "next-next-finish" job, followed by the server's inclusion
into AD domain. I'll make a fresh install anyway in my development server
this week to check against what I state.
In the meantime, please correct me if I'm wrong since I'm not a
security specialist. In general ACL permissions are inhirited by parent
folders. With that in mind I perform the following steps:
1-I went to a non system partition (ie D , and check the ACL
permissions on that folder. Network service was not listed there; checking
the "effective permission" for the D: drive however shows that "network
service" does have "Create Folder/Append Data" permission.
2- I then created a new folder, named "New Folder" with all
permissins inherited. again "Network service" is not listed in NTFS
permissions but checking the "effective permissions" reveals that now,
"network service" has a set of permissions equivalent to "modify".
3- Execute a simple ASPX page which creates a text file "D:\New
Folder\SomeFile.txt"; The site running the ASPX page is configured to allow
only anonymous request and the AppPoll identity was setted to "network
service".
4- The page was sucefully created being owned by network service (the
creator owner), which grants full controll over it. (I usually restrict
creator owner permissions in my "web application folders" to prevent that).
I checked on (c:\windows\repair) secsetup.inf and secD.inf of the
servers in question but didn't found anything there related this. I don't
discard however that I may be missing something here.
This brings me to the question: where default ACLs does came from (at
least for well know SIDs)? I mean, if the permission is not explicit
assigned into the driver/folder, how does windows calculate the effective
permission for the "network service"?
> "Is this safe to be used" cannot be answered without knowing your security
> requirements. Security is never absolute black/white and always relative
> shades of grey, so it "depends" on knowing more information.
In this context I'm meaning as a general rule of thumb since the general
rule of thumb is to run web applications under network service account. I
totally agree that security is a grayed area. In this scenario, an web
application that perform file upload may lead to some insecure scenarios if
the admin does not explicity change the creator owner permission of the
folders in questions, which you have to agree with me, is not a common
recomendation found on KBs and articles.
> File ACLs/Permissions and Privileges are two separate but interacting
> concepts.
I'm refering only to ACL permissions. Sorry for the wrong terms used.
Cheers,
Eric.
ps.: i'm a fan of your blog!! thanks for the good information you bring to
us.
| |
| Eric Chaves 2006-07-27, 7:24 pm |
| Hello All,
An small update on my previous post. I made a few tests in order to identify
from where the "network service" may be receiving the "write" permissions
stated early.
It seems that the permission is being inherited from the "Users" group. If I
deny write access to the users group, the effective permission for "network
service" no more contains the write permissions.
Now the question is how does "network service" get the User group's
permission? It doesn't seems to belong to the group neither is being
assigned to it by security policies like the "restricted group". Any hints?
cheer,
Eric.
|
|
|
|
|