IIS Server Security - IIS6 &ASP.Net Permissions help:-)

Author

IIS6 &ASP.Net Permissions help:-)

ERoss

2007-06-14, 1:28 pm

I am an admin - not a developer - but I have a prob (I think)

IIS servers are stand alone (no domain) 2K3 servers

web sites are fairly default IUSR account being used - IUSR has the
usual directory permissions - and Igranted NETWORK SERVICE directory
permissions as well

All sites require a login controlled by a database - not Windows

But the application code the devel team gives me to place on these
servers never runs properly unless Server_Name\USERS group is granted
"Full Control" on the file system level

That seems nuts ?? is this normal for aspx to need these kind of
permissions???

tx

Ken Schaefer

2007-06-17, 1:21 am

ASP.NET usually runs under the user context of the web application pool. If
the web application pool is running as Network Service (the default), then
this account needs permissions to files and folders.

Now, you say "it doesn't work unless Server_Name\USERS group is granted
"Full Control" on the file system level"

Which part of the file system are you talking about? the entire disk? Or
just some small portion of it?

Have you run Filemon to see where there might be "Access Denied" errors, and
which account is being denied access?

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"ERoss" <elliot475@hotmail.com> wrote in message
news:MPG.20db19eedd5ede7b9896ac@msnews.microsoft.com...
>I am an admin - not a developer - but I have a prob (I think)
>
> IIS servers are stand alone (no domain) 2K3 servers
>
> web sites are fairly default IUSR account being used - IUSR has the
> usual directory permissions - and Igranted NETWORK SERVICE directory
> permissions as well
>
> All sites require a login controlled by a database - not Windows
>
> But the application code the devel team gives me to place on these
> servers never runs properly unless Server_Name\USERS group is granted
> "Full Control" on the file system level
>
> That seems nuts ?? is this normal for aspx to need these kind of
> permissions???
>
> tx
>

ERoss

2007-06-18, 1:24 pm

Thanks for the response !

Now, you say "it doesn't work unless Server_Name\USERS group is granted
> "Full Control" on the file system level"

Just to its application path \inetpub\wwwroot\<app_name> and all
subdirecties

I will see if I can find filemon

thanks

In article <#htenEJsHHA.2376@TK2MSFTNGP05.phx.gbl>,
kenREMOVE@THISadOpenStatic.com says...
> ASP.NET usually runs under the user context of the web application pool. If
> the web application pool is running as Network Service (the default), then
> this account needs permissions to files and folders.
>
> Now, you say "it doesn't work unless Server_Name\USERS group is granted
> "Full Control" on the file system level"
>
> Which part of the file system are you talking about? the entire disk? Or
> just some small portion of it?
>
> Have you run Filemon to see where there might be "Access Denied" errors, and
> which account is being denied access?
>
> Cheers
> Ken
>
>

Ken Schaefer

2007-06-19, 1:18 am

Filemon can be downloaded from the Microsoft website (it used to be a
Sysinternals tool):
http://www.google.com.au/search?q=s...oft.com+Filemon
(first link is the download, some other articles on using Filemon to
troubleshoot things)

Are you using Impersonation in your application? If so, then ASP.NET might
be impersonating the authenticated user for file access, rather than the web
app pool identity.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"ERoss" <elliot475@hotmail.com> wrote in message
news:MPG.20e049fdc9cfb48f9896ad@msnews.microsoft.com...[vbcol=seagreen]
> Thanks for the response !
>
> Now, you say "it doesn't work unless Server_Name\USERS group is granted
>
> Just to its application path \inetpub\wwwroot\<app_name> and all
> subdirecties
>
> I will see if I can find filemon
>
> thanks
>
>
> In article <#htenEJsHHA.2376@TK2MSFTNGP05.phx.gbl>,
> kenREMOVE@THISadOpenStatic.com says...