Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
West Wind WebSurge - Rest Client and Http Load Testing for Windows

Configuration File Settings and ASP.Net Security


:P
On this page:

 

 

Somebody brought up a good point about my Configuration Settings class today that I failed to mention in the article: Security requirements for an ASP.Net application to be able to actually make changes to the .Config file.

If you are running in the default security environment the ASP.Net app runs under the ASPNET or NETWORK SERVICE account and these accounts usually don't have rights to write to web.config or any other part of application.

I personally run my ASP.Net apps under a specific user and assign this user to a Windows 2003 Application Pool which I then use for the application. Usually I configure this user to have read/write access in the application directory because I have a number of tasks that read and write to the file system in various places of my framework. I don't feel this is a huge security risk because in order to do anything with these 'loose' permission soembody has to first be able to compromise either my app (via some script or injection) or by hacking into the machine itself. If that's the case my Web directory is probably the last thing I need to worry about.

So, by default ASPNET and Network Service aren't allowed and if you're not comfortable with the environment I run (and many aren't ) you can limit your exposure by just allowing read/write access to web.config for these accounts. This file already has read access (although it can't be accessed over the Web due to ASP.Net's internal forbidden handlers) which if anything is the bigger vulnerability.

Using Impersonation in a separate web.config
As I was thinking about this I found another solution that should work without changing security if you have a separate directory to run all Admin requests through. Updating web.config should not be something you do frequently, so this requirement to run from a separate directory should be workable - all my apps use an Administration path for all admin tasks for example and I can place a separate web.config there that uses Impersonation to run under the account the user logged in under.

In this admin directory which should sit below your app root you can add a secondary web.config file that overrides the security settings of the primary web.config file. Set it to use Windows Auth and Impersonation like this:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web> 
    <identity impersonate="true" />
    <!-- WS: Allow only Authenticated users -->
    <authorization>
        <deny users="?" />
    </authorization>
 </system.web>
</configuration>

 

This is basically telling ASP. Net to impersonate the logged on user and to deny anonymous access which will force a login when any page in the directory with this web.config (or below) is accessed. Now when you hit any pages in the admin directory the remote user is impersonated and if this remote user has the appropriate rights on the server the application has rights to write web.config. This means an anonymous user has no access, but I as an Admin user have the rights to actually write to the .config files.

I just tried this and it works great even though several sources I checked state that you can't set authentication in a sub directory below the approot. It works though.


The Voices of Reason


 

Peter
April 01, 2004

# re: Configuration File Settings and ASP.Net Security

I found some Windows API calls for Windows impersonation, These may be difficult to port to ASP.NET, but might provide a novel way of overcoming the impersonation issue,

Pete.

Rick Strahl
April 14, 2004

# re: Configuration File Settings and ASP.Net Security

Peter why would you need to do that? ASP.Net lets you use Impersonation pretty easily if you choose. The above approach works really well for administrative paths in general as it doesn't require any ACLs to be set on the directory (unless you have sensitive files stored there like logs etc.).

S.Ahamed Shah
November 10, 2004

# re: Configuration File Settings and ASP.Net Security

Hello Sir,
I am facing a problem like, when i am running my program in my local server i am able to access all the pages.But when i am placing it in the server and accessing it it gives me an error

"Please make < customErrors > tag in "Web.config" configuration file which exists in the root directory of a present Web application to make details of this error message can displayed with a remote computer. Afterwards, please set "Mode" attribute to "Off" with this < customErrors > tag."

Can you please help me out in this


jaba
November 29, 2004

# re: Configuration File Settings and ASP.Net Security

Hi,
I am facing a serious problem running Asp.net Application. Actually , on our production we've Windows Server 2003
Enterprise Edition running IIS 6.0 and .NET Framework 1.1.
Every request of every .aspx file results in
a "Server Application Unavailable" message in the browser. No errors
are recorded in the Event viewer.

Any suggestions is appreciated

thanks
jaba

Sumesh
January 27, 2005

# Server Application Unavailable

I use .net 1.1.

When i query more tables from database using asp i end up with the following error.

Server application unavailable

For smaller queries i dont find any error

Can anyone solve this problem

I changed the processmodel attribute to "SYSTEM"(one of the suggested answers).I also increased the memory limit to 90. but i still end up with the same error

can anyone help me out.

Stan Mezyk
March 02, 2005

# re: Configuration File Settings and ASP.Net Security

How it will be working when I use in my web.config the following:
<appSettings file="myProd.config">
</appSettings>
If myProd.config will overwrite my above myProd.config ?
Thanks,
Stan

Rick Strahl
March 02, 2005

# re: Configuration File Settings and ASP.Net Security

That config file will have the same security as the main config file so the secruity still applies.

Aamir
March 14, 2005

# re: Configuration File Settings and ASP.Net Security

Dear sirs;
I haev small problem infect i have some html files witch stores in fodler with name articals . so i want just reg user can view html files but its not accessable from direct link spouse eye4tech.us/volume/artical/getit.html
i user windows authentication method but using this method i can just restrict aspx file but not html files . so plz whats the way
Thanks

tanujareddy
April 08, 2005

# re: Keyword not supported: 'provider'.

hello ,
when i am trying to connect to sql server using ado.net i am getting the error keyword not supported :'provider' plse help me.

i have written the code as

con=new SqlConnection("Provider=SQLOLEDB.1;User ID=sa;Initial Catalog=admin;Data Source=(local)")


Nazeeb.
April 18, 2005

# Failed to impersonate the Anonymous User for ASP Application /LM/W3SVC/2/Root.

Hi

When i am accessing site . i am getting the above error. we are using iis 6. In IIS the hirarchy of my accessing site is child and it is using ananymous. where as the parent is using integrated . and all the above is using both anaymous and integrated. Can u suggest on this.

Rick Strahl
April 18, 2005

# re: Configuration File Settings and ASP.Net Security

Nazeeb, most likely somebody has messed with the account that is used for anonymous access on your site. Either the rights or password has changed or the account was removed. The easiest thing is to go into IIS check the account, remove it and add it back in to re-aling the SID if necessary and also make sure that the account used is active.

Rick Strahl's WebLog
May 18, 2005

# Understanding ASP.NET Impersonation Security

Understanding how ASP.NET's internal security works is important if your application needs to access resources on the local machine. Specifically it's important to know exactly which account your ASP.NET application is running under. This entry reviews different ways of how this account is affected by different versions of Windows, and ASP.NET configuration.

UB
May 20, 2005

# Configuration ASP.Net Application on Different Machine

Hi

I developed ASP.NET application on which the systems contains WinXP pro & VS2003 with the backend as MySQL. This application was working fine on the same system. But when I moved this application to the local server, which also having IIS5.1 & virtual directory too, i could not able to run this. The Error was "the page cannot be found". Can anyone help me out. And is it necessary to have VS2003 to run the ASP.NET application?

Thxs

Parag
June 06, 2005

# Browser Compatibility for asp.net validators

I have developed an asp.net applicaion which is running well.
But the validation controls are not supported by Netscape( which are supported well by the ie browser)
I've also tried vaarious asp.net <browsercaps> codes. But could not succeed .
Can anybody provide me latest <browsercaps> code or some other solution regarding this?
Thanks in advance
Parag

Niraj Mehta
February 12, 2006

# Need Help

I am using Windows 2003 Server Standard edition, i just prepared this
machine to use for one ASP.net application. i am using IIS 6.
ASP.net application runs fine but it become unavailable in every hour with a
big red color message "Server Application Unavailable".

i am also using simple ASP pages but
they are running fine but ASP.net application give this error. Please Help

niraj@anantsoftech.com

Adeel Anjum
July 19, 2006

# re: Configuration File Settings and ASP.Net Security

i have developed an application on IIS 5.1 with asp.net. There is a report which takes nearly 8 to 10 minutes to run. on IIS it displays report in the specified time. when i hosted this application on IIS 6. After exactly 2 minutes ( I have counted the time maself :) ). It always give me error Time out expired. I had so many things i.e. increased connection timeout on IIS 6 and have changed time settings in machine.config and also specified server.scripttimeout etc. but nothing seems to work. then some where i read that this is default behaviour of IIS 6.
Can somebody guide me.

my email address is adeelanjum2001@hotmail.com

thanks in advance

Rick Strahl
July 19, 2006

# re: Configuration File Settings and ASP.Net Security

You need to look into the httpRuntime executionTimeout setting most likely. That and IIS Request Timeout will determine how long the server allows a request to run before it's considered hung and failed.

Jinu George
August 02, 2006

# Process related question

Hi,

In a web applicabtion if I try to start a process, it runs under the ASPNet user. I have tried the different solutions without any resolution. No matter which solution I use the process is started under the same user name.

My requirement is to run the process under another user name other than ASPNet user. Can you suggest a method.

Thanks,
Jinu

Rick Strahl
August 02, 2006

# re: Configuration File Settings and ASP.Net Security

You need to change the setting in machine.config(global web.config for 2.0) under XP and Windows 2000. In IIS 6 and later the user is determined by the IIS Application Pool.

Muhammad Omais
August 08, 2006

# re: Configuration File Settings and ASP.Net Security

Hello Sir,
I am facing a problem like, when i am running my program in my local server it gives me an error

"Please make < customErrors > tag in "Web.config" configuration file which exists in the root directory of a present Web application to make details of this error message can displayed with a remote computer. Afterwards, please set "Mode" attribute to "Off" with this < customErrors > tag."

Can you please help me out in this

email: m.omais@gmail.com

Rick Strahl's Web Log
September 27, 2006

# Creating Virtuals and reading Installed Sites on IIS with .Net - Rick Strahl's Web Log


Rick Strahl's Web Log
September 28, 2006

# Updated Configuration Class Article and Code - Rick Strahl's Web Log

I've updated the Building a better .Net Application Configuration Settings Class article and code. There have been a number of additions to the class including support for writing to external .Config files and writing to custom sections.

Michael
October 02, 2006

# re: Configuration File Settings and ASP.Net Security

This one had me really stumped because I wasn't able to give the user account the web application runs under permissions to the web.config file and if I used impersonation then the site wouldn't load because the impersonated user didn't have access to the temporary directory.

However, adding impersonation to a web.config file under a subdirectory worked perfectly. Thank you so much I never would have thought of doing that.

Rick Strahl
October 05, 2006

# Creating Virtuals and reading Installed Sites on IIS with .Net - Rick Strahl

# re: Configuration File Settings and ASP.Net Security

i encounter the same problem and i wonder the solution...

Rick Strahl's Web Log
October 15, 2006

# Putting up a Web Store SandBox with ASP.NET 2.0 - Rick Strahl's Web Log

Last night I put together another ASP.NET 2.0 Web Store site to put out as a SandBox for people to play around with. I'm getting the process down, but this was a little different install in that it's suposed to open everything up including the backend yet without blowing security. This post discusses a few of the thoughts that went into this and also touches on some ASP.NET 2.0 deployment issues once again.

# configurationclass at Programmers Heaven

Free programming files, links, articles, tutorials, source codes, utilities, ASP, .NET, C/C++, .NET, C#, ASP.NET, XML, Visual Basic, Delphi, Java, Pascal, Assembler and other tools for programmers.

# Printer

Free programming files, links, articles, tutorials, source codes, utilities, ASP, .NET, C/C++, .NET, C#, ASP.NET, XML, Visual Basic, Delphi, Java, Pascal, Assembler and other tools for programmers.

Srinivas
February 06, 2008

# re: Configuration File Settings and ASP.Net Security

I need you people help regarding my issue. In my web Application, I write the code for Export to Excel feature. Application was enable for Windows Authentication. When a user logged into the system and try to Export to Excel, Required Excel file was created and saving in TEMP folder which I asked the application to save it. But When I am trying to open that file from that folder, there was a Access prob for logged in User with Permissions.

Can anyone help me in this pleaseeeeee? Its very urgent

Thanks in Advance
Srinivas

sell my house fast
June 05, 2008

# sell my house fast

but still - this is how long after

Durdenet
July 18, 2008

# re: Configuration File Settings and ASP.Net Security

Nobody said that this DOES NOT apply if you are using Form authentication throughout your application. Am I correct?
In that case the only workable way is programmatic impersonation.
Right?

wan acceleration
December 02, 2008

# wan acceleration

I\'ve found that in our network WAN accelerators have made a big difference

John Dieter
March 02, 2010

# re: Configuration File Settings and ASP.Net Security

I have a service. I have a winform app that configures the service. Now that wonderful win7 and 2008 are here, I can no longer write to the services .config file using system.io
How do I get my settings, from my winform app into the services config file!
I have to put a shared file somewhere.

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024