473,499 Members | 1,974 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Security Issues with ASP.Net

Hi All,

Need some advice on some of the security issues in my ASP.Net application.
There are certain tasks that I need to implement so need advice/guidance on
them as well as safeguards that I should implement. The application would
be typically running on Windows Server 2003 with IIS6 with .Net framework
1.1

1. My application saves its settings to the registry. I know that by
default the Aspnet user does not have rights to edit the registry. My
Workaround is that I changed the user in processmodel from "machine" to
"SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to
explicitly grant full rights to the aspnet user to the registry.

Somehow I feel that this solution is not a good one and has the potential
for making the web server unsafe. Any other solutions/workarounds for this
problem?

2. My application needs to read/write/create directories from the file
system on the webserver. I have to explicitly grant the aspnet user full
access to the directories in question. Any other elegant solution to this
issue?

Also, in Windows Server 2003, this does not work if the directory is located
inside the "Program Files" directory. Does not work even when the aspnet
user is added to the Administrators group. Why could this be happening?

Any suggestions/pointers would be appreciated.

Thanks in advance,
Sanjay
Nov 17 '05 #1
2 1777
Most executable programs you run use the local System account to run.
ASP.Net is no different. There is no Security risk unless some hostile
person can somehow take control of your ASP.Net app. The aspnet user account
is more useful if you are, for example, a hosting service, and of course,
you don't want to grant blanket access to the entire machine to all of your
hosting clients.
--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big things are made up of
lots of little things.

"Sanjay Poojari" <sa****@rheal.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi All,

Need some advice on some of the security issues in my ASP.Net application.
There are certain tasks that I need to implement so need advice/guidance on them as well as safeguards that I should implement. The application would
be typically running on Windows Server 2003 with IIS6 with .Net framework
1.1

1. My application saves its settings to the registry. I know that by
default the Aspnet user does not have rights to edit the registry. My
Workaround is that I changed the user in processmodel from "machine" to
"SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to explicitly grant full rights to the aspnet user to the registry.

Somehow I feel that this solution is not a good one and has the potential
for making the web server unsafe. Any other solutions/workarounds for this problem?

2. My application needs to read/write/create directories from the file
system on the webserver. I have to explicitly grant the aspnet user full
access to the directories in question. Any other elegant solution to this
issue?

Also, in Windows Server 2003, this does not work if the directory is located inside the "Program Files" directory. Does not work even when the aspnet
user is added to the Administrators group. Why could this be happening?

Any suggestions/pointers would be appreciated.

Thanks in advance,
Sanjay

Nov 17 '05 #2
Thanks Kevin!

Sanjay

"Kevin Spencer" <ke***@takempis.com> wrote in message
news:#c**************@TK2MSFTNGP11.phx.gbl...
Most executable programs you run use the local System account to run.
ASP.Net is no different. There is no Security risk unless some hostile

Nov 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
28
2760
Who should security issues be reported to?
by: grahamd | last post by:
Who are the appropriate people to report security problems to in respect of a module included with the Python distribution? I don't feel it appropriate to be reporting it on general mailing lists.
Python
5
4296
* * * C# Application and Database Security Model * * *
by: isideveloper | last post by:
I'm building a new C# web application that will provide my company some administrative operations that were previously only completed by tweaking the data in the database. 1. Encrypted password...
C# / C Sharp
1
1470
security question(s)
by: nancy | last post by:
I am new to PHP but have done other programming can someone please hold my hand and slowly talk me through some simple security issues? I have seen in PHP documents that there are 'strip...
PHP
19
2553
Choosing a host based on their PHP "security" measures
by: hansBKK | last post by:
Upfront disclaimer - I am a relative newbie, just starting out learning about PHP, mostly by researching, installing and playing with different scripts. I am looking for a host that will provide...
PHP
2
7644
Adding security question/answer check to ASP.NET *ChangePassword* control
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the...
ASP.NET
0
7174
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7220
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
6894
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7388
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
1
4919
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4600
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3091
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
1427
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
1
665
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us