Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3 a machine.
Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:
---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW04 7BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione : {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)
Privilegi -
---------------------------------------
(I'm sorry for the Italian text, but i think you can easily understand
the message)
ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.
What this could be?
I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.
Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.
Thnx i.a. for the answers,
Marco 7 1656
Marco,
C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*******@gmai l.com> wrote in message
news:11******** *************@f 14g2000cwb.goog legroups.com... Hi, i'm always auditing ASPNET's account accesses on my webserver, a WIN2K_SP4 + IIS5 + SQLServer2K_SP3 a machine.
Nearly all the applications work correctly, but i constantly find a message in the event viewer under the protection log, that says:
--------------------------------------- Apertura oggetto: Server oggetto: Security Tipo oggetto: File Nome oggetto: C:\WINNT\KOSW04 7BFJNQUY26 Nuovo ID dell'handle: - ID dell'operazione : {0,346018} ID del processo: 2160 Nome utente primario: ASPNET Dominio primario: WEBSERVER ID di accesso primario: (0x0,0x3F5DE) Nome utente client: - Dominio client: - ID di accesso client: - Accessi SYNCHRONIZE ReadData (o ListDirectory)
Privilegi - ---------------------------------------
(I'm sorry for the Italian text, but i think you can easily understand the message)
ASPNET is part of the Users group, and the Users group has the READ, EXECUTION and LIST permissions on C:\WINNT directory.
What this could be?
I followed all the MS KB to grant the rights priviledges to the ASPNET account, and no application have a problem at the moment.
Only one application seems to go crazy when the number of users grows up (we are waiting for another 1GB ram, because we think it's a resource related issue), but we think it's an application issue not related to this problem. Or at least, i don't think this warning in the event viewer is related to that problem.
Thnx i.a. for the answers, Marco
i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly
create it.
how can i see if it is being created with explicit permission or other grant
? i can't even find that directory.
thank you,
Marco
"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** *****@tk2msftng p13.phx.gbl... Marco,
C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary directory ?? Is it being created with explicit permissions that will exclude Users or other grant that includes Dir List for AspNet ?
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the worker
process
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Od******** ******@TK2MSFTN GP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
i still don't know who try to create that directory/file and when. i didn't write the applications by myself, i only know that thy use
Crystal Reports, they're written in .NET 2002 and they use a component to draw charts, dunno if it is that particular component that tryes to write the directory/file. at least, the programmer said me that he doesn't
explicitly create it.
how can i see if it is being created with explicit permission or other
grant ? i can't even find that directory.
thank you, Marco "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio news:e2******** *****@tk2msftng p13.phx.gbl... Marco,
C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary directory ?? Is it being created with explicit permissions that will exclude Users or other grant that includes Dir List for AspNet ?
The ASPNET account has R/W access to
"C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and
"C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Wri te, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them
regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotma il.com> ha scritto nel messaggio
news:Ol******** *****@TK2MSFTNG P09.phx.gbl... This sounds a lot like an attempt to get at the Temporary ASP.NET Pages cache directory. Are you running the ASP.NET worker process as a different account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the worker process
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message news:Od******** ******@TK2MSFTN GP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
i still don't know who try to create that directory/file and when. i didn't write the applications by myself, i only know that thy use Crystal Reports, they're written in .NET 2002 and they use a component to draw charts, dunno if it is that particular component that tryes to write the directory/file. at least, the programmer said me that he doesn't explicitly create it.
how can i see if it is being created with explicit permission or other grant ? i can't even find that directory.
thank you, Marco "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio news:e2******** *****@tk2msftng p13.phx.gbl... > Marco, > > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary > directory ?? Is it being created with explicit permissions that will > exclude Users or other grant that includes Dir List for AspNet ? >
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white boxes?
That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. The ASPNET account has R/W access to "C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and "C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no FULL CONTROL, only Modify+Read+Wri te, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB. With a process viewer i can see it has abount 22 threads (nearly all of
them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotma il.com> ha scritto nel messaggio news:Ol******** *****@TK2MSFTNG P09.phx.gbl... This sounds a lot like an attempt to get at the Temporary ASP.NET Pages cache directory. Are you running the ASP.NET worker process as a
different account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the worker process
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message news:Od******** ******@TK2MSFTN GP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY2 6 changes every time.
i still don't know who try to create that directory/file and when. i didn't write the applications by myself, i only know that thy use Crystal Reports, they're written in .NET 2002 and they use a component to draw charts, dunno if it is that particular component that tryes to write
the directory/file. at least, the programmer said me that he doesn't explicitly create it.
how can i see if it is being created with explicit permission or other grant ? i can't even find that directory.
thank you, Marco "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio news:e2******** *****@tk2msftng p13.phx.gbl... > Marco, > > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary > directory ?? Is it being created with explicit permissions that will > exclude Users or other grant that includes Dir List for AspNet ? >
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.
The "Users" group has read only access to WINNT directory.
Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?
I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.
thanks for the help,
Marco
"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio
news:e2******** ******@TK2MSFTN GP12.phx.gbl... Well, they should not be able to write to c:\winnt at all !! When you look at one of these in c:\winnt are the NTFS permissions on it all inherited or are some or all explicit ? i.e. gray or white boxes?
That dir name makes it sound like this was upgrade to W2k from NT4, which would leave c:\winnt permissioned loose. I would be the villan and first notify my web authors that use crystal that c:\winnt will be altered and there apps will fail if they do not use the temp environment var to locate their file usage correctly, and I would set an implementation date and hold to it. When that date comes you will find out who is responsible. The alternative, of trying to loosening c:\winnt permissions, if it is not an explicitly set permissions issue, so that inherited permissions are sufficient is not an attractive way to go.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. The ASPNET account has R/W access to "C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files" and "C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files" ( no FULL CONTROL, only Modify+Read+Wri te, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB. With a process viewer i can see it has abount 22 threads (nearly all of them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotma il.com> ha scritto nel messaggio news:Ol******** *****@TK2MSFTNG P09.phx.gbl... > This sounds a lot like an attempt to get at the Temporary ASP.NET Pages > cache directory. Are you running the ASP.NET worker process as a different > account that perhaps doesn't have access to the proper directories? > > -- Sean M, who admittedly is not fond of changing the identity of the > worker > process > > "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in > message > news:Od******** ******@TK2MSFTN GP10.phx.gbl... >> i forgot to say, the name KOSW047BFJNQUY2 6 changes every time. >> >> i still don't know who try to create that directory/file and when. >> i didn't write the applications by myself, i only know that thy use > Crystal >> Reports, they're written in .NET 2002 and they use a component to draw >> charts, dunno if it is that particular component that tryes to write the >> directory/file. at least, the programmer said me that he doesn't > explicitly >> create it. >> >> how can i see if it is being created with explicit permission or other > grant >> ? i can't even find that directory. >> >> thank you, >> Marco >> >> >> >> "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio >> news:e2******** *****@tk2msftng p13.phx.gbl... >> > Marco, >> > >> > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary >> > directory ?? Is it being created with explicit permissions that >> > will >> > exclude Users or other grant that includes Dir List for AspNet ? >> > >> > >
"M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message
news:Oh******** *****@TK2MSFTNG P14.phx.gbl... I can't see that items. That directory (or files?) with the random name doesn't even seem to
exists, or at least i'm not able to see them, so i can't see the protection settings.
It could be that the failure message is because of "file not found" ??
The "Users" group has read only access to WINNT directory.
Why is the protection event talks about READ/SYNCRONIZE deny, if the Users ( and then the ASPNET account too) has read grants on the WINNT directory?
That is why I first asked about explicit as compared to inherited grants.
Users Read allows just these. That it is a minimal request being made
and one within the inherited grants, makes it sound like something is
looking for a file in the wrong place (?)
I don't think the programmers are creating a file in it, i talked with
them and nobody has written code to create a file/directory in C:\WINNT, or at least we don't know if Crystal Report tryes to.
I can't help you there, but it is good you have that info from the devs. thanks for the help, Marco
"Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio news:e2******** ******@TK2MSFTN GP12.phx.gbl... Well, they should not be able to write to c:\winnt at all !! When you look at one of these in c:\winnt are the NTFS permissions on it all inherited or are some or all explicit ? i.e. gray or white boxes?
That dir name makes it sound like this was upgrade to W2k from NT4, which would leave c:\winnt permissioned loose. I would be the villan and first notify my web authors that use crystal that c:\winnt will be altered and there apps will fail if they do not use the temp environment var to locate their file usage correctly, and I would set an implementation date and hold to it. When that date comes you will find out who is responsible. The alternative, of trying to loosening c:\winnt permissions, if it is not an explicitly set permissions issue, so that inherited permissions are sufficient is not an attractive way to go.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. The ASPNET account has R/W access to "C:\WINNT\Micro soft.NET\Framew ork\v1.0.3705\T emporary ASP.NET Files"
and "C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\T emporary ASP.NET Files"
( no FULL CONTROL, only Modify+Read+Wri te, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB. With a process viewer i can see it has abount 22 threads (nearly all of them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotma il.com> ha scritto nel messaggio news:Ol******** *****@TK2MSFTNG P09.phx.gbl... > This sounds a lot like an attempt to get at the Temporary ASP.NET
Pages > cache directory. Are you running the ASP.NET worker process as a different > account that perhaps doesn't have access to the proper directories? > > -- Sean M, who admittedly is not fond of changing the identity of the > worker > process > > "M. Simioni" <m.************ *****@TOCONTACT MEgmail.com> wrote in > message > news:Od******** ******@TK2MSFTN GP10.phx.gbl... >> i forgot to say, the name KOSW047BFJNQUY2 6 changes every time. >> >> i still don't know who try to create that directory/file and when. >> i didn't write the applications by myself, i only know that thy use > Crystal >> Reports, they're written in .NET 2002 and they use a component to
draw >> charts, dunno if it is that particular component that tryes to write the >> directory/file. at least, the programmer said me that he doesn't > explicitly >> create it. >> >> how can i see if it is being created with explicit permission or
other > grant >> ? i can't even find that directory. >> >> thank you, >> Marco >> >> >> >> "Roger Abell" <mv*******@asu. edu> ha scritto nel messaggio >> news:e2******** *****@tk2msftng p13.phx.gbl... >> > Marco, >> > >> > C:\WINNT\KOSW04 7BFJNQUY26 appears to be some temporary >> > directory ?? Is it being created with explicit permissions that >> > will >> > exclude Users or other grant that includes Dir List for AspNet ? >> > >> > >
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: jano |
last post by:
Hi,
I am trying to install a web application on an AD domain controller (security risk I know but it is our client's requirement) and i need to give the aspnet account certain permissions. However, the account is not listed in AD users and computers snap-in, though I can see IWAM and IUSR. Where is this account? I have installed the .net framework and re-registered it, but it still ain't there.
Any ideas???
Thanks
Jano
|
by: Zeng |
last post by:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load your test page." even after I
launched my app and aspnet_wp.exe is running.
Do you know what I need to do to fix it? I also found some old post, a
person mentioned that I need to make sure I need to
run my aspnet with system account instead. ...
|
by: CESAR DE LA TORRE [MVP] |
last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).
Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my...
|
by: musosdev |
last post by:
Hi guys
I've just noticed I don't have an ASPNET user account running on either my
Workstation or Server (both running .net2.0, workstation has vs2005 pro).
Simple question... should it be there with .net2, and if so how can I create
it!?
Cheers
|
by: Paul Aspinall |
last post by:
Hi
I am trying to print, server side, from my web application.
I'm getting problems, as my ASPNET account is a local account, and is not
trusted on the domain to print to printers (ie. does not belong to 'Users'
group)
What is the best way round this??
I've asked the security guys to specifically add the account with
| |
by: torus |
last post by:
Is the aspnet account called "aspnet" for all non-English versions of
Windows and IIS?
|
by: =?Utf-8?B?TWljaGFlbCBNaWxsZXI=?= |
last post by:
I created a walkthrough and couldn't connect to my sql server. I looked up
the problem and MSDN told me to create an ASPNET "User" in SQL Svr.
It worked, but is that right? Do I have to do that for web projects. How
does that user relate to the other users? I'm not seeing the logic. I
thought maybe a "Role" that I could assign all users to would make more
sense, but why have an ASPNET in SQL at all?
--
MichaelM
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |