473,834 Members | 1,801 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

ASPNET Account autiding alert

Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3 a machine.

Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:

---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW04 7BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione : {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)

Privilegi -
---------------------------------------

(I'm sorry for the Italian text, but i think you can easily understand
the message)

ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.

What this could be?

I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.

Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.

Thnx i.a. for the answers,
Marco

Nov 19 '05 #1
7 1673
Marco,

C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*******@gmai l.com> wrote in message
news:11******** *************@f 14g2000cwb.goog legroups.com...
Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3 a machine.

Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:

---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW04 7BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione : {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)

Privilegi -
---------------------------------------

(I'm sorry for the Italian text, but i think you can easily understand
the message)

ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.

What this could be?

I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.

Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.

Thnx i.a. for the answers,
Marco

Nov 19 '05 #2
i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly
create it.

how can i see if it is being created with explicit permission or other grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** *****@tk2msftng p13.phx.gbl...
Marco,

C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?


Nov 19 '05 #3
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the worker
process

"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Od******** ******@TK2MSFTN GP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly create it.

how can i see if it is being created with explicit permission or other grant ? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** *****@tk2msftng p13.phx.gbl...
Marco,

C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?

Nov 19 '05 #4
The ASPNET account has R/W access to
"C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and
"C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Wri te, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotma il.com> ha scritto nel messaggio
news:Ol******** *****@TK2MSFTNG P09.phx.gbl...
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the
worker
process

"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Od******** ******@TK2MSFTN GP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use

Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't

explicitly
create it.

how can i see if it is being created with explicit permission or other

grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** *****@tk2msftng p13.phx.gbl...
> Marco,
>
> C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>


Nov 19 '05 #5
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
The ASPNET account has R/W access to
"C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and
"C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Wri te, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotma il.com> ha scritto nel messaggio
news:Ol******** *****@TK2MSFTNG P09.phx.gbl...
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the
worker
process

"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Od******** ******@TK2MSFTN GP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use

Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the directory/file. at least, the programmer said me that he doesn't

explicitly
create it.

how can i see if it is being created with explicit permission or other

grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** *****@tk2msftng p13.phx.gbl...
> Marco,
>
> C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>



Nov 19 '05 #6
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.

The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.

thanks for the help,
Marco
"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** ******@TK2MSFTN GP12.phx.gbl...
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
The ASPNET account has R/W access to
"C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and
"C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Wri te, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of

them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotma il.com> ha scritto nel messaggio
news:Ol******** *****@TK2MSFTNG P09.phx.gbl...
> This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
> cache directory. Are you running the ASP.NET worker process as a different > account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in
> message
> news:Od******** ******@TK2MSFTN GP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to draw
>> charts, dunno if it is that particular component that tryes to write the >> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or other
> grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
>> news:e2******** *****@tk2msftng p13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>



Nov 19 '05 #7
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Oh******** *****@TK2MSFTNG P14.phx.gbl...
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists, or at least i'm not able to see them, so i can't see the protection
settings.

It could be that the failure message is because of "file not found" ??
The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

That is why I first asked about explicit as compared to inherited grants.
Users Read allows just these. That it is a minimal request being made
and one within the inherited grants, makes it sound like something is
looking for a file in the wrong place (?)
I don't think the programmers are creating a file in it, i talked with them and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.
I can't help you there, but it is good you have that info from the devs.

thanks for the help,
Marco
"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** ******@TK2MSFTN GP12.phx.gbl...
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
The ASPNET account has R/W access to
"C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and "C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no FULL CONTROL, only Modify+Read+Wri te, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of

them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotma il.com> ha scritto nel messaggio
news:Ol******** *****@TK2MSFTNG P09.phx.gbl...
> This sounds a lot like an attempt to get at the Temporary ASP.NET Pages > cache directory. Are you running the ASP.NET worker process as a

different
> account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in
> message
> news:Od******** ******@TK2MSFTN GP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to draw >> charts, dunno if it is that particular component that tryes to write

the
>> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or other > grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
>> news:e2******** *****@tk2msftng p13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>



Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
411
by: jano | last post by:
Hi, I am trying to install a web application on an AD domain controller (security risk I know but it is our client's requirement) and i need to give the aspnet account certain permissions. However, the account is not listed in AD users and computers snap-in, though I can see IWAM and IUSR. Where is this account? I have installed the .net framework and re-registered it, but it still ain't there. Any ideas??? Thanks Jano
22
2296
by: Zeng | last post by:
Hi, I'm running ClrProfiler for the first time to profile my web app, and it keeps getting stuck at this msg box: "Waiting for Asp.net to start common language runtime - this is the time to load your test page." even after I launched my app and aspnet_wp.exe is running. Do you know what I need to do to fix it? I also found some old post, a person mentioned that I need to make sure I need to run my aspnet with system account instead. ...
0
2321
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web Services (based on WSE 3.0). Having our WSE 3.0-WebService over Windows Server 2003, everything works great, but, over Windows XP, I have a problem (which is documented in WSE 3.0 help) but its workaround does not work properly (at least with my...
3
13092
by: musosdev | last post by:
Hi guys I've just noticed I don't have an ASPNET user account running on either my Workstation or Server (both running .net2.0, workstation has vs2005 pro). Simple question... should it be there with .net2, and if so how can I create it!? Cheers
5
1794
by: Paul Aspinall | last post by:
Hi I am trying to print, server side, from my web application. I'm getting problems, as my ASPNET account is a local account, and is not trusted on the domain to print to printers (ie. does not belong to 'Users' group) What is the best way round this?? I've asked the security guys to specifically add the account with
7
1924
by: torus | last post by:
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
5
1630
by: =?Utf-8?B?TWljaGFlbCBNaWxsZXI=?= | last post by:
I created a walkthrough and couldn't connect to my sql server. I looked up the problem and MSDN told me to create an ASPNET "User" in SQL Svr. It worked, but is that right? Do I have to do that for web projects. How does that user relate to the other users? I'm not seeing the logic. I thought maybe a "Role" that I could assign all users to would make more sense, but why have an ASPNET in SQL at all? -- MichaelM
0
9799
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
9649
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10799
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10515
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10554
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
5629
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4428
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
3985
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3084
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.