Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
22  1158 
Hi Zeng,
You can learn how to create custom accounts to run ASP.NET at the following
link. http://msdn.microsoft.com/library/de...l/secmod15.asp
Good luck!
"Zeng" <Ze******@hotma il.com> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. .. Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
Somebody's going to find a whole bunch of old posts exactly like yours,
thanks to cross-posting! ;-)
If you own the server, the simplest way is to edit the machine.config file
in your .Net config folder, and change the ProcessModel section to use
"SYSTEM" instead of "MACHINE".
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Zeng" <Ze******@hotma il.com> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. .. Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
April 5, 2005
It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
Application Developer and one of the topics I happen to be certified in is
Web Applications and Security. I am not familiar with ClrProfiler, but I
HEAVILY am in doubt that it requires the System. I think that the old post
was just doing a "quick fix". I am sure that if you were having almost any
problem on your computer, it would be fixed by using the System account. For
this reason, I doubt that the person was really knowing what was required. I
strongly encourage you to research further, or disconnect the computer from
the internet and from any intranet whose computers connect to the internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. :-) Good luck!
Joseph MCAD
"Zeng" wrote: Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
re: I can't emphasize this enough!
Neither can I.
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
It's amazing to see that this is being deliberately reverted.
re:Sorry for my abruptness. :-)
I thought you restrained yourself admirably! :-)
For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:3C******** *************** ***********@mic rosoft.com...
April 5, 2005
It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
Application Developer and one of the topics I happen to be certified in is
Web Applications and Security. I am not familiar with ClrProfiler, but I
HEAVILY am in doubt that it requires the System. I think that the old post
was just doing a "quick fix". I am sure that if you were having almost any
problem on your computer, it would be fixed by using the System account.
For
this reason, I doubt that the person was really knowing what was required.
I
strongly encourage you to research further, or disconnect the computer
from
the internet and from any intranet whose computers connect to the
internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. :-) Good luck!
Joseph MCAD
"Zeng" wrote:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
Hang on a minute guys. This is self-contradictory: It is too dangerous to run it as SYSTEM!
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's. We are not a hosting service.
And I am in charge of the software that goes on it.
Most executable applications run under the System account.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:ey******** *****@TK2MSFTNG P10.phx.gbl... re:I can't emphasize this enough!
Neither can I.
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
It's amazing to see that this is being deliberately reverted.
re:Sorry for my abruptness. :-)
I thought you restrained yourself admirably! :-)
For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:3C******** *************** ***********@mic rosoft.com...
April 5, 2005
It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
Application Developer and one of the topics I happen to be certified in
is
Web Applications and Security. I am not familiar with ClrProfiler, but I
HEAVILY am in doubt that it requires the System. I think that the old
post
was just doing a "quick fix". I am sure that if you were having almost
any
problem on your computer, it would be fixed by using the System account.
For
this reason, I doubt that the person was really knowing what was
required. I
strongly encourage you to research further, or disconnect the computer
from
the internet and from any intranet whose computers connect to the
internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. :-) Good luck!
Joseph MCAD
"Zeng" wrote:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start
common
language runtime - this is the time to load your test page." even after
I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
re: Hang on a minute guys. This is self-contradictory:
No, it is not.
re: In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
You're the one making *that* distinction.
What I stated is : The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
re: The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's.
If you feel comfortable with that, feel free.
But, please, don't issue a recommendation to
"run ASP.NET under the System account".
That's liable to get a lot of people into trouble.
Getting away from having to use an account with excessive privileges
is the reason why, first, the ASP.NET account was changed from
System to ASPNET and then, later, to Network Service, when
even ASPNET was considered to have too many privileges.
That's almost as bad as running a server logged in as "Administrator" .
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:eH******** *****@tk2msftng p13.phx.gbl... Hang on a minute guys. This is self-contradictory:
It is too dangerous to run it as SYSTEM!
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's. We are not a hosting
service. And I am in charge of the software that goes on it.
Most executable applications run under the System account.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:ey******** *****@TK2MSFTNG P10.phx.gbl... re:I can't emphasize this enough!
Neither can I.
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
It's amazing to see that this is being deliberately reverted.
re:Sorry for my abruptness. :-)
I thought you restrained yourself admirably! :-)
For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:3C******** *************** ***********@mic rosoft.com...
April 5, 2005
It is too dangerous to run it as SYSTEM! I am a Microsoft Certified
Application Developer and one of the topics I happen to be certified in
is
Web Applications and Security. I am not familiar with ClrProfiler, but I
HEAVILY am in doubt that it requires the System. I think that the old
post
was just doing a "quick fix". I am sure that if you were having almost
any
problem on your computer, it would be fixed by using the System account.
For
this reason, I doubt that the person was really knowing what was
required. I
strongly encourage you to research further, or disconnect the computer
from
the internet and from any intranet whose computers connect to the
internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. :-) Good luck!
Joseph MCAD
"Zeng" wrote:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and
it
keeps getting stuck at this msg box: "Waiting for Asp.net to start
common
language runtime - this is the time to load your test page." even after
I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. Do you know how to do this
account switching?
Thanks for your comment and advice.
Hi Juan,
Sorry about the poor choice of words. You were correct. It wasn't
"self-contradictory" other than the fact that you started out by seemingly
agreeing with Joseph, who made a blanket statement. You qualified your
statement, which actually indicated that you only PARTIALLY agreed with
Joseph.
Blanket statements are almost always incorrect. Note that I didn't make a
blanket statement there! Blanket statements are only useful to lazy people
or people that don't have the time to research the reality behind them.
Telling people that you CAN safely run ASP.Net under the System account
under the right circumstances is not likely to get anyone in trouble. Note
that I didn't RECOMMEND it. If people misunderstand, they aren't listening
diligently, and are therefore responsible for their own actions.
I don't like to hide the truth from people in the fear that they will
misunderstand it. Misunderstandin g is not truth. It is a lie that someone
tells themself. What I said was perfectly true. What Joseph said was
implerfectly true. What you said was perfectly true.
The account under which ASP.Net runs is configurable, and includes "System."
Don't tell me that Microsoft made a mistake, by allowing people to do
something they should NEVER do! ;-)
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:uq******** ******@tk2msftn gp13.phx.gbl... re: Hang on a minute guys. This is self-contradictory:
No, it is not.
re: In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
You're the one making *that* distinction.
What I stated is : The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
re: The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's.
If you feel comfortable with that, feel free.
But, please, don't issue a recommendation to
"run ASP.NET under the System account".
That's liable to get a lot of people into trouble.
Getting away from having to use an account with excessive privileges
is the reason why, first, the ASP.NET account was changed from
System to ASPNET and then, later, to Network Service, when
even ASPNET was considered to have too many privileges.
That's almost as bad as running a server logged in as "Administrator" .
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:eH******** *****@tk2msftng p13.phx.gbl... Hang on a minute guys. This is self-contradictory:
It is too dangerous to run it as SYSTEM!
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's. We are not a hosting
service. And I am in charge of the software that goes on it.
Most executable applications run under the System account.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:ey******** *****@TK2MSFTNG P10.phx.gbl... re:
I can't emphasize this enough!
Neither can I.
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
It's amazing to see that this is being deliberately reverted.
re:
Sorry for my abruptness. :-)
I thought you restrained yourself admirably! :-)
For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:3C******** *************** ***********@mic rosoft.com...
April 5, 2005
It is too dangerous to run it as SYSTEM! I am a Microsoft
Certified
Application Developer and one of the topics I happen to be certified in
is
Web Applications and Security. I am not familiar with ClrProfiler, but
I
HEAVILY am in doubt that it requires the System. I think that the old
post
was just doing a "quick fix". I am sure that if you were having almost
any
problem on your computer, it would be fixed by using the System
account. For
this reason, I doubt that the person was really knowing what was
required. I
strongly encourage you to research further, or disconnect the computer
from
the internet and from any intranet whose computers connect to the
internet.
Then immediately switch back to ASPNET as soon as you are done. I can't
emphasize this enough! Sorry for my abruptness. :-) Good luck!
Joseph MCAD
"Zeng" wrote:
> Hi,
>
> I'm running ClrProfiler for the first time to profile my web app, and
> it
> keeps getting stuck at this msg box: "Waiting for Asp.net to start
> common
> language runtime - this is the time to load your test page." even
> after I
> launched my app and aspnet_wp.exe is running.
>
> Do you know what I need to do to fix it? I also found some old post, a
> person mentioned that I need to make sure I need to
> run my aspnet with system account instead. Do you know how to do this
> account switching?
>
> Thanks for your comment and advice.
>
>
>
April 6, 2005
No security expert would ever agree with you + no security expert would
say that you are security oriented with that frame of mind and lack of
knowledge. Even if you only run your own code on your servers, developers
STILL make mistakes! If you had a simple program that connected to your
database with the SYSTEM account and it had one bug, the attacker could
launch a SQL Injection attack and do everything from, corrupting the
registery, stealing data, take files, delete audit logs, release your IP
address, knock the server offline, and do damage that could result in not
beening able to boot and therefore render the computer unrecoverable without
changing physical pieces such as the harddrive. If you don't run web
services, I bet you haven't disabled the Documentation protocol either. I
also think that you haven't blocked .Net remoting and .rem and .soap
requests. I can't even begin to give examples of what my happen. If all of
your customer information was taken, then deleted, then audit logs cleared,
and then damaged all of your web servers, your company's reputation would be
permanently destroyed unless you work for a giganticly gigantic company such
as Microsoft. With the way you have been able to run your programs as SYSTEM,
I can already believe that you work for a small business and have no security
experts on your team. (that is besides maybe yourself) I strongly recommend
that you begin to switch back to least privilege...... ..
Joseph MCAD
"Kevin Spencer" wrote: Hi Juan,
Sorry about the poor choice of words. You were correct. It wasn't
"self-contradictory" other than the fact that you started out by seemingly
agreeing with Joseph, who made a blanket statement. You qualified your
statement, which actually indicated that you only PARTIALLY agreed with
Joseph.
Blanket statements are almost always incorrect. Note that I didn't make a
blanket statement there! Blanket statements are only useful to lazy people
or people that don't have the time to research the reality behind them.
Telling people that you CAN safely run ASP.Net under the System account
under the right circumstances is not likely to get anyone in trouble. Note
that I didn't RECOMMEND it. If people misunderstand, they aren't listening
diligently, and are therefore responsible for their own actions.
I don't like to hide the truth from people in the fear that they will
misunderstand it. Misunderstandin g is not truth. It is a lie that someone
tells themself. What I said was perfectly true. What Joseph said was
implerfectly true. What you said was perfectly true.
The account under which ASP.Net runs is configurable, and includes "System."
Don't tell me that Microsoft made a mistake, by allowing people to do
something they should NEVER do! ;-)
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:uq******** ******@tk2msftn gp13.phx.gbl... re: Hang on a minute guys. This is self-contradictory:
No, it is not.
re: In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
You're the one making *that* distinction.
What I stated is : The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
re: The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's.
If you feel comfortable with that, feel free.
But, please, don't issue a recommendation to
"run ASP.NET under the System account".
That's liable to get a lot of people into trouble.
Getting away from having to use an account with excessive privileges
is the reason why, first, the ASP.NET account was changed from
System to ASPNET and then, later, to Network Service, when
even ASPNET was considered to have too many privileges.
That's almost as bad as running a server logged in as "Administrator" .
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:eH******** *****@tk2msftng p13.phx.gbl... Hang on a minute guys. This is self-contradictory:
> It is too dangerous to run it as SYSTEM!
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
In other words, it is either too dangerous to run it in as the System
account, or it is USUALLY too dangerous to run it as the System account.
Which one is true?
The reason I ask is that we run it as System, and have for years. Why?
Because it is our servers, and nobody else's. We are not a hosting
service. And I am in charge of the software that goes on it.
Most executable applications run under the System account.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:ey******** *****@TK2MSFTNG P10.phx.gbl...
re:
>I can't emphasize this enough!
Neither can I.
The *only* reason to change the account used for ASP.NET
( from SYSTEM to ASPNET, and now to Network Service ),
was to be able to run ASP.NET in a less-dangerous security context.
It's amazing to see that this is being deliberately reverted.
re:
>Sorry for my abruptness. :-)
I thought you restrained yourself admirably! :-)
For developers to deliberately, or maybe unknowingly,
expose themselves to security risks after a product's
security configuration was changed to protect them,
requires a good rap on the knuckles.
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:3C******** *************** ***********@mic rosoft.com...
>
> April 5, 2005
>
> It is too dangerous to run it as SYSTEM! I am a Microsoft
> Certified
> Application Developer and one of the topics I happen to be certified in
> is
> Web Applications and Security. I am not familiar with ClrProfiler, but
> I
> HEAVILY am in doubt that it requires the System. I think that the old
> post
> was just doing a "quick fix". I am sure that if you were having almost
> any
> problem on your computer, it would be fixed by using the System
> account. For
> this reason, I doubt that the person was really knowing what was
> required. I
> strongly encourage you to research further, or disconnect the computer
> from
> the internet and from any intranet whose computers connect to the
> internet.
> Then immediately switch back to ASPNET as soon as you are done. I can't
> emphasize this enough! Sorry for my abruptness. :-) Good luck!
>
>
> Joseph MCAD
>
>
>
> "Zeng" wrote:
>
>> Hi,
>>
>> I'm running ClrProfiler for the first time to profile my web app, and
>> it
>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>> common
>> language runtime - this is the time to load your test page." even
>> after I
>> launched my app and aspnet_wp.exe is running.
>>
>> Do you know what I need to do to fix it? I also found some old post, a
>> person mentioned that I need to make sure I need to
>> run my aspnet with system account instead. Do you know how to do this
>> account switching?
>>
>> Thanks for your comment and advice.
>>
>>
>>
Well, darn, Joseph. How lucky we've been, considering the "lack of security"
on our system. In all the time it's run, we've had no problems, attacks,
down-time, viruses, trojan horses, or anything else, for several years now.
Thanks for making me feel so lucky!
Of course, there's always the possibility that we ARE security experts, but
thankfully, you have made us realize that it's all been pure luck. I guess
I'll just have to take the MCAD course to become one.
--
;-),
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
news:D6******** *************** ***********@mic rosoft.com...
April 6, 2005
No security expert would ever agree with you + no security expert
would
say that you are security oriented with that frame of mind and lack of
knowledge. Even if you only run your own code on your servers, developers
STILL make mistakes! If you had a simple program that connected to your
database with the SYSTEM account and it had one bug, the attacker could
launch a SQL Injection attack and do everything from, corrupting the
registery, stealing data, take files, delete audit logs, release your IP
address, knock the server offline, and do damage that could result in not
beening able to boot and therefore render the computer unrecoverable
without
changing physical pieces such as the harddrive. If you don't run web
services, I bet you haven't disabled the Documentation protocol either. I
also think that you haven't blocked .Net remoting and .rem and .soap
requests. I can't even begin to give examples of what my happen. If all
of
your customer information was taken, then deleted, then audit logs
cleared,
and then damaged all of your web servers, your company's reputation would
be
permanently destroyed unless you work for a giganticly gigantic company
such
as Microsoft. With the way you have been able to run your programs as
SYSTEM,
I can already believe that you work for a small business and have no
security
experts on your team. (that is besides maybe yourself) I strongly
recommend
that you begin to switch back to least privilege...... ..
Joseph MCAD
"Kevin Spencer" wrote:
Hi Juan,
Sorry about the poor choice of words. You were correct. It wasn't
"self-contradictory" other than the fact that you started out by
seemingly
agreeing with Joseph, who made a blanket statement. You qualified your
statement, which actually indicated that you only PARTIALLY agreed with
Joseph.
Blanket statements are almost always incorrect. Note that I didn't make a
blanket statement there! Blanket statements are only useful to lazy
people
or people that don't have the time to research the reality behind them.
Telling people that you CAN safely run ASP.Net under the System account
under the right circumstances is not likely to get anyone in trouble.
Note
that I didn't RECOMMEND it. If people misunderstand, they aren't
listening
diligently, and are therefore responsible for their own actions.
I don't like to hide the truth from people in the fear that they will
misunderstand it. Misunderstandin g is not truth. It is a lie that someone
tells themself. What I said was perfectly true. What Joseph said was
implerfectly true. What you said was perfectly true.
The account under which ASP.Net runs is configurable, and includes
"System."
Don't tell me that Microsoft made a mistake, by allowing people to do
something they should NEVER do! ;-)
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:uq******** ******@tk2msftn gp13.phx.gbl... > re:
>> Hang on a minute guys. This is self-contradictory:
>
> No, it is not.
>
> re:
>> In other words, it is either too dangerous to run it in as the System
>> account, or it is USUALLY too dangerous to run it as the System
>> account.
>> Which one is true?
>
> You're the one making *that* distinction.
>
> What I stated is :
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>
> re:
>> The reason I ask is that we run it as System, and have for years. Why?
>> Because it is our servers, and nobody else's.
>
> If you feel comfortable with that, feel free.
>
> But, please, don't issue a recommendation to
> "run ASP.NET under the System account".
>
> That's liable to get a lot of people into trouble.
>
> Getting away from having to use an account with excessive privileges
> is the reason why, first, the ASP.NET account was changed from
> System to ASPNET and then, later, to Network Service, when
> even ASPNET was considered to have too many privileges.
>
> That's almost as bad as running a server logged in as "Administrator" .
>
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> http://asp.net.do/foros/
> Foros de ASP.NET en Español
> Ven, y hablemos de ASP.NET...
> =============== =======
>
> "Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
> news:eH******** *****@tk2msftng p13.phx.gbl...
>> Hang on a minute guys. This is self-contradictory:
>>
>>>> It is too dangerous to run it as SYSTEM!
>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>>
>> In other words, it is either too dangerous to run it in as the System
>> account, or it is USUALLY too dangerous to run it as the System
>> account.
>> Which one is true?
>>
>> The reason I ask is that we run it as System, and have for years. Why?
>> Because it is our servers, and nobody else's. We are not a hosting
>> service. And I am in charge of the software that goes on it.
>>
>> Most executable applications run under the System account.
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>> "Juan T. Llibre" <no***********@ nowhere.com> wrote in message
>> news:ey******** *****@TK2MSFTNG P10.phx.gbl...
>>> re:
>>>>I can't emphasize this enough!
>>>
>>> Neither can I.
>>>
>>> The *only* reason to change the account used for ASP.NET
>>> ( from SYSTEM to ASPNET, and now to Network Service ),
>>> was to be able to run ASP.NET in a less-dangerous security context.
>>>
>>> It's amazing to see that this is being deliberately reverted.
>>>
>>> re:
>>>>Sorry for my abruptness. :-)
>>>
>>> I thought you restrained yourself admirably! :-)
>>>
>>> For developers to deliberately, or maybe unknowingly,
>>> expose themselves to security risks after a product's
>>> security configuration was changed to protect them,
>>> requires a good rap on the knuckles.
>>>
>>>
>>>
>>>
>>> Juan T. Llibre
>>> ASP.NET MVP
>>> http://asp.net.do/foros/
>>> Foros de ASP.NET en Español
>>> Ven, y hablemos de ASP.NET...
>>> =============== =======
>>>
>>> "Joseph MCAD" <Jo********@dis cussions.micros oft.com> wrote in message
>>> news:3C******** *************** ***********@mic rosoft.com...
>>>>
>>>> April 5, 2005
>>>>
>>>> It is too dangerous to run it as SYSTEM! I am a Microsoft
>>>> Certified
>>>> Application Developer and one of the topics I happen to be certified
>>>> in
>>>> is
>>>> Web Applications and Security. I am not familiar with ClrProfiler,
>>>> but
>>>> I
>>>> HEAVILY am in doubt that it requires the System. I think that the
>>>> old
>>>> post
>>>> was just doing a "quick fix". I am sure that if you were having
>>>> almost
>>>> any
>>>> problem on your computer, it would be fixed by using the System
>>>> account. For
>>>> this reason, I doubt that the person was really knowing what was
>>>> required. I
>>>> strongly encourage you to research further, or disconnect the
>>>> computer
>>>> from
>>>> the internet and from any intranet whose computers connect to the
>>>> internet.
>>>> Then immediately switch back to ASPNET as soon as you are done. I
>>>> can't
>>>> emphasize this enough! Sorry for my abruptness. :-) Good luck!
>>>>
>>>>
>>>> Joseph MCAD
>>>>
>>>>
>>>>
>>>> "Zeng" wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm running ClrProfiler for the first time to profile my web app,
>>>>> and
>>>>> it
>>>>> keeps getting stuck at this msg box: "Waiting for Asp.net to start
>>>>> common
>>>>> language runtime - this is the time to load your test page." even
>>>>> after I
>>>>> launched my app and aspnet_wp.exe is running.
>>>>>
>>>>> Do you know what I need to do to fix it? I also found some old
>>>>> post, a
>>>>> person mentioned that I need to make sure I need to
>>>>> run my aspnet with system account instead. Do you know how to do
>>>>> this
>>>>> account switching?
>>>>>
>>>>> Thanks for your comment and advice.
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Zeng |
last post by:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. ...
|
by: Ken Varn |
last post by:
I notice that ASP.NET has a user that runs on its behalf (ASPNET user). I
an concerned about site security and would like it if someone can explain
the security of the ASPNET user. In particular, is the password managed
automatically in the same way as the IIS password for the anonymous user
account? If this is true, how is the password managed? Is it re-generated
every-so-often or only once at installation?
Also, I have read various...
|
by: Jeff Robichaud |
last post by:
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?
|
by: palakwai_919 |
last post by:
We have a Windows 2000 server with Beta 2 of the 2.0 Framework installed and
the 1.1 Framework. For some odd reason when we hit our 2.0 Framework
application we get the following error:
Server Application Unavailable
The web application you are attempting to access on this web server is
currently unavailable. Please hit the "Refresh" button in your web browser
to retry your request.
Administrator Note: An error message detailing the...
|
by: Roger |
last post by:
Are there some system resources which the ASPNET user account gets less
of, by default?
I'm running into a problem with a web service that I'm working on. I
have a 3rd-party program which the web service interacts with, and I
have several documents associated with this program. Some of these
documents are small, and some of the documents are extremely large.
The 3rd party program opens all of these documents just fine when
running...
| | |
by: CESAR DE LA TORRE [MVP] |
last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).
Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my...
|
by: binder |
last post by:
I have a Win 2003 server with IIS 6.
I have a webservice that is trying to copy a file from one local
directory to another local directory on the server.
I'm getting this error when trying to copy the file from the temp dir
to the warehouse path on the IIS 6 server
System.IO.IOException: Logon failure: unknown user name or bad
password.
at System.IO.__Error.WinIOError(Int32 errorCode, String
|
by: Mich |
last post by:
Hi,
i'm building an web application for anonymous users. They can take a look in
the website, nothing more. In order to perform other actions, the anonymous
user must be logged. So i create an aspx page with the CreateUserWizard
control. The user can fill his username, password etc ....
My problem is: when an user fills everything and clicks on button "create an
account", nothing happens (no error, but no user account created).
I...
|
by: =?Utf-8?B?ZGF2aWQ=?= |
last post by:
I am trying to setup ASPNET account for .NET application to access database
(SQL Server 2000) by
aspnet_regiis -i in the directory C:\WINNT\Microsoft.NET\Framework\v1.1.4322
After running it, I got a successful installed information. But I can not
find this account in Active Directory.
The authentication uses Active Directory.
David
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
