 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / March 2008Basic security question
Hi there, I'm going to be using (anonymous) impersonation on my web site so everything will run under IUSR. I'm a little confused about what end-users will be able to do versus my app itself however. For instance, if I create a read-only folder, my app (running under IUSR) can read it without issue. However, I don't want end-users to be able to see it. Therefore, even if directory browsing is turned off, is there any way for end-users to be able to read what's in the folder since IUSR still has read permissions (or worse yet, write to the folder if write permissions is also on). Thanks in advance. > Hi there, > [quoted text clipped - 6 lines] > what's in the folder since IUSR still has read permissions (or worse yet, > write to the folder if write permissions is also on). Thanks in advance. Since your app will be accessible to the end user and under their control, anything your app can access can potentially be accessed by the end-user. It doesn't matter how you authentication or impersonate. Your only defense is to not write a security vulnerability in your application code to allow your security nightmare to happen. For example, you can turn directory browsing off, but if your application allows users to access CreateFile-like behavior, depending on its implementation, may be vulnerable to be used as directory browsing. Same thing with write permissions. Since Web servers are designed to serve resources under its websites after passing Authentication, if you want to prevent the end-user from using the Web Server itself (not just your application) to read files you want to hide, then do NOT put those files in directories that are part of any website. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // > Since your app will be accessible to the end user and under their > control, anything your app can access can potentially be accessed by > the end-user. It doesn't matter how you authentication or impersonate. > Your only defense is to not write a security vulnerability in your > application code to allow your security nightmare to happen. > For example, you can turn directory browsing off, but if your > application allows users to access CreateFile-like behavior, depending > on its implementation, may be vulnerable to be used as directory > browsing. Same thing with write permissions. > Since Web servers are designed to serve resources under its websites > after passing Authentication, if you want to prevent the end-user from > using the Web Server itself (not just your application) to read files > you want to hide, then do NOT put those files in directories that are > part of any website. Thanks for the info but I still need clarification. I don't completely understand how to secure my site from anonymous users if read-only means that not only can my app read the data (while running under IUSR), but so can anonymous users on the Internet. The "App_Data" folder is a good example. Can someone simply read this from their browser for instance (just by guessing a file's name) or even write to it somehow. If so then to protect against it, my first instinct would be to deny access to IUSR but then my app would have to explicitly impersonate some other valid user in order to access the folder. On a 3rd-party web-hosting site you would likely have to use your personal account for that which means securing my password on the server and then going through the trouble of impersonating. Moreover, if I understand things correctly, the ASPNET account itself ("Network Service" on Win2003 Server) still requires read/write to this folder (for various housekeeping tasks) regardless of who my app is impersontating (IUSR or otherwise). This all seems very complicated and therefore unlikely, i.e., I assume most web sites don't lock down "App_Data" this way meaning that anonymous users can read its contents, is this not correct? If so then it's a security problem so can you elaborate on this situation? Thanks. asp_net "locks" down app_data, so no browser requests for a file in the dir is allowed. it will be safe unless your code has a security bug that allows reading/writing from this folder, -- bruce (sqlwork.com) > > Since your app will be accessible to the end user and under their > > control, anything your app can access can potentially be accessed by [quoted text clipped - 32 lines] > anonymous users can read its contents, is this not correct? If so then it's > a security problem so can you elaborate on this situation? Thanks. > asp_net "locks" down app_data, so no browser requests for a file in the > dir > is allowed. it will be safe unless your code has a security bug that > allows > reading/writing from this folder, Thanks for setting me straight on that. What about other standard folders like "bin" however. For non-standard folders, I assume I would have to explicitly deny access to IUSR and impersonate another account to access it (in my own code which is also running as IUSR).
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.