473,289 Members | 2,089 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,289 software developers and data experts.

Having ASPNET member of Administrators

Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?
Nov 19 '05 #1
11 1740
If you own the server, and you're not running anyone else's ASP.Net apps
with it, sure, it won't hurt.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?

Nov 19 '05 #2
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?


Nov 19 '05 #3
WJ
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?

ASPNet account is a default account, similar to Anonymous account, that
IIS-5 uses when a particular web site is configured as "anonymous". The
default state is very "least privilege". With Admin membership, it is too
high and risky. I would take Admin privilege away from ASPNET.

John
Nov 19 '05 #4
> So much for the principle of least privilege...

The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company owns
their own servers and doesn't host. We run ASP.Net under the System account.
Now, if you have a problem with that, you might want to rethink whether
almost all of your local machine appplications should run under the System
account (they do).

Microsoft ships all of their software locked down to prevent support calls
and complaints from security issues. In other words, if you open it, you're
responsible for it. That doesn't mean that on every computer every security
setting should be locked down tight. Nothing would run. It means that
security should be configured with full knowledge of the issues involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making the
ASP.Net account a Network Admin has much the same effect. I agree, he's
painting with a broad brush, but the objective is to prevent spills, not to
paint with the smallest brush possible.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?


Nov 19 '05 #5
Here's the short story: I'm a consultant, and in my current contract I've
seen a server having ASPNET an Administrator. I felt it was risky but not
knowing exactly why. Investigation led me learn that the reason for this is
that some exception handling mechanism has to write to the Event Log, and
the first time it does, it has to write a key in the registry, thus it has
to have admin rights (well in fact I think the key should be created using a
Installation program or by hand, not the first time the app crashes). So in
our developement environment here we did not bother removing the ASPNET
account from Administrators. But in the final production environment I just
wanted to know what security issues could be involved in being set up this
way. So basically my question was : "In saying that having the ASPNET
account member of Administrators might be risky, can someone define the word
'risky' in this context ? What evil can happen ?"

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:Ox**************@TK2MSFTNGP15.phx.gbl...
So much for the principle of least privilege...


The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company owns
their own servers and doesn't host. We run ASP.Net under the System
account. Now, if you have a problem with that, you might want to rethink
whether almost all of your local machine appplications should run under
the System account (they do).

Microsoft ships all of their software locked down to prevent support calls
and complaints from security issues. In other words, if you open it,
you're responsible for it. That doesn't mean that on every computer every
security setting should be locked down tight. Nothing would run. It means
that security should be configured with full knowledge of the issues
involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making the
ASP.Net account a Network Admin has much the same effect. I agree, he's
painting with a broad brush, but the objective is to prevent spills, not
to paint with the smallest brush possible.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...

Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?



Nov 19 '05 #6
Hello Kevin,
The principle of least privilege. Where did you find that?
http://c2.com/cgi/wiki?PrincipleOfLeastPrivilege
If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making
the ASP.Net account a Network Admin has much the same effect. I agree,
he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible.


I agree, to a point. Typically people try to cover up the root problem by
throwing more permissions at it. I wrote a post about this early last year
(http://www.mattberther.com/2004/04/000463.html).

--
Matt Berther
http://www.mattberther.com

Nov 19 '05 #7
Hi Matt,

First, let me point out that the article referenced was written by 2
consultants, who run their own business. IOW, it is not authoritative.

That being said, I found the article to be pretty solid. Still, the term is
their own, not anything standard.

I copied this from the page you referenced:

"But keep in mind that POLA is a principle of security design, not a hard
and fast rule that must be adhered to at all times, no matter what the cost.
If you don't understand what that means then see ThreeLevelsOfAudience,
because POLA is for a level 2 audience."

IOW, to quote another brilliant programming philosopher:

"...he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible."

--
;-),

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,
The principle of least privilege. Where did you find that?


http://c2.com/cgi/wiki?PrincipleOfLeastPrivilege
If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making
the ASP.Net account a Network Admin has much the same effect. I agree,
he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible.


I agree, to a point. Typically people try to cover up the root problem by
throwing more permissions at it. I wrote a post about this early last year
(http://www.mattberther.com/2004/04/000463.html).

--
Matt Berther
http://www.mattberther.com

Nov 19 '05 #8
Hello Jeff,

I would tend to agree with Kevin, but will also stand by my point of fixing
this problem by moving the logic of creating the EventLog to an installer
(as you are thinking). The root cause of this problem can be solved without
granting elevated privileges to the ASPNET account.

--
Matt Berther
http://www.mattberther.com
Here's the short story: I'm a consultant, and in my current contract
I've seen a server having ASPNET an Administrator. I felt it was risky
but not knowing exactly why. Investigation led me learn that the
reason for this is that some exception handling mechanism has to write
to the Event Log, and the first time it does, it has to write a key in
the registry, thus it has to have admin rights (well in fact I think
the key should be created using a Installation program or by hand, not
the first time the app crashes). So in our developement environment
here we did not bother removing the ASPNET account from
Administrators. But in the final production environment I just wanted
to know what security issues could be involved in being set up this
way. So basically my question was : "In saying that having the ASPNET
account member of Administrators might be risky, can someone define
the word 'risky' in this context ? What evil can happen ?"

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:Ox**************@TK2MSFTNGP15.phx.gbl...
So much for the principle of least privilege...

The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company
owns their own servers and doesn't host. We run ASP.Net under the
System account. Now, if you have a problem with that, you might want
to rethink whether almost all of your local machine appplications
should run under the System account (they do).

Microsoft ships all of their software locked down to prevent support
calls and complaints from security issues. In other words, if you
open it, you're responsible for it. That doesn't mean that on every
computer every security setting should be locked down tight. Nothing
would run. It means that security should be configured with full
knowledge of the issues involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available.
Making the ASP.Net account a Network Admin has much the same effect.
I agree, he's painting with a broad brush, but the objective is to
prevent spills, not to paint with the smallest brush possible.

-- HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
> Are there any security issues having the ASPNET user account
> member of Administrators ? Is it a good practice ?
>


Nov 19 '05 #9
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> confessed in news:
#Z**************@tk2msftngp13.phx.gbl:
Hi Matt,

First, let me point out that the article referenced was written by 2
consultants, who run their own business. IOW, it is not authoritative.

That being said, I found the article to be pretty solid. Still, the term is
their own, not anything standard.

I copied this from the page you referenced:

"But keep in mind that POLA is a principle of security design, not a hard
and fast rule that must be adhered to at all times, no matter what the cost. If you don't understand what that means then see ThreeLevelsOfAudience,
because POLA is for a level 2 audience."

IOW, to quote another brilliant programming philosopher:

"...he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible."


Just to butt in...

Microsoft has been preaching the principle of least privilege for at least 3
years (that was the last time I visited Redmond and attended some of their
..NET classes), and probably for longer than that.

-- ipgrunt
Nov 19 '05 #10
> Microsoft has been preaching the principle of least privilege for at least 3
years (that was the last time I visited Redmond and attended some of their
.NET classes), and probably for longer than that.


Absolutely! And many other companies have been preaching it also, many
of them were talking about it over a decade ago. I heard about it from
Sun in the early 90's.

By the way, if you use a broad brush you're more likely to get paint
where it doesn't belong.

Eric
Nov 19 '05 #11
Eric <Er**@nospam.com> confessed in news:uZDgIANCFHA.3416
@TK2MSFTNGP09.phx.gbl:
Microsoft has been preaching the principle of least privilege for at least 3 years (that was the last time I visited Redmond and attended some of their
.NET classes), and probably for longer than that.


Absolutely! And many other companies have been preaching it also, many
of them were talking about it over a decade ago. I heard about it from
Sun in the early 90's.

By the way, if you use a broad brush you're more likely to get paint
where it doesn't belong.

Eric


Good point, Eric. Thanks for your input.

-- ipgrunt

Nov 19 '05 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Paul C. | last post by:
Hi folks, I cannot seem to get my .NET app to successfully login to my Sql Server MSDE instance. It always tells me that the login for ASPNET failed. My biggest problem is that I cannot find...
2
by: Ian Taite | last post by:
Hello All, ASP.NET has stopped working on my development server. I've read the various posts re this subject, but my circumstances seem unique. I need to know what causes the problem and how to...
4
by: palakwai_919 | last post by:
We have a Windows 2000 server with Beta 2 of the 2.0 Framework installed and the 1.1 Framework. For some odd reason when we hit our 2.0 Framework application we get the following error: Server...
3
by: Henrik Dahl | last post by:
Hello! From default, the ASPNET user is giving the process identity for the ASP.NET runtime environment of IIS, however it's possible to change the user by modifying the <processModel> element...
1
by: Tommy Christian | last post by:
Hi, I have vb6 exe which is used trough COM interface. Interface and exe works ok, when I use it from .NET windows program. Then I am working as a user, which I am logged in into current computer...
0
by: the friendly display name | last post by:
Hello newsgroup, How do I set up a directory, which only the ASPNET process can access, and all other users (except admin and the system processes of course) cannot? Basicaly, a internet user...
2
by: William LaMartin | last post by:
in Visual Studio 2005 I have a what is now called in 2005 a web site that when run as a file base web connects fine to SQL Express running on the local machine. However, when I publish this web to...
2
by: SajidKamal | last post by:
Dear Friends While Hosting My Application On Hosting Server, i am geting error bellow. please help me ought. Server Error in '/' Application....
1
by: davez | last post by:
Hello there I'm trying to launch a simple C++ application from my website (on the server side). It even runs, imagine that. However, when it tries to open a simple text file (for either read or...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.