By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,835 Members | 1,951 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,835 IT Pros & Developers. It's quick & easy.

Having ASPNET member of Administrators

P: n/a
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?
Nov 19 '05 #1
Share this Question
Share on Google+
11 Replies


P: n/a
If you own the server, and you're not running anyone else's ASP.Net apps
with it, sure, it won't hurt.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?

Nov 19 '05 #2

P: n/a
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?


Nov 19 '05 #3

P: n/a
WJ
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member of
Administrators ? Is it a good practice ?

ASPNet account is a default account, similar to Anonymous account, that
IIS-5 uses when a particular web site is configured as "anonymous". The
default state is very "least privilege". With Admin membership, it is too
high and risky. I would take Admin privilege away from ASPNET.

John
Nov 19 '05 #4

P: n/a
> So much for the principle of least privilege...

The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company owns
their own servers and doesn't host. We run ASP.Net under the System account.
Now, if you have a problem with that, you might want to rethink whether
almost all of your local machine appplications should run under the System
account (they do).

Microsoft ships all of their software locked down to prevent support calls
and complaints from security issues. In other words, if you open it, you're
responsible for it. That doesn't mean that on every computer every security
setting should be locked down tight. Nothing would run. It means that
security should be configured with full knowledge of the issues involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making the
ASP.Net account a Network Admin has much the same effect. I agree, he's
painting with a broad brush, but the objective is to prevent spills, not to
paint with the smallest brush possible.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?


Nov 19 '05 #5

P: n/a
Here's the short story: I'm a consultant, and in my current contract I've
seen a server having ASPNET an Administrator. I felt it was risky but not
knowing exactly why. Investigation led me learn that the reason for this is
that some exception handling mechanism has to write to the Event Log, and
the first time it does, it has to write a key in the registry, thus it has
to have admin rights (well in fact I think the key should be created using a
Installation program or by hand, not the first time the app crashes). So in
our developement environment here we did not bother removing the ASPNET
account from Administrators. But in the final production environment I just
wanted to know what security issues could be involved in being set up this
way. So basically my question was : "In saying that having the ASPNET
account member of Administrators might be risky, can someone define the word
'risky' in this context ? What evil can happen ?"

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:Ox**************@TK2MSFTNGP15.phx.gbl...
So much for the principle of least privilege...


The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company owns
their own servers and doesn't host. We run ASP.Net under the System
account. Now, if you have a problem with that, you might want to rethink
whether almost all of your local machine appplications should run under
the System account (they do).

Microsoft ships all of their software locked down to prevent support calls
and complaints from security issues. In other words, if you open it,
you're responsible for it. That doesn't mean that on every computer every
security setting should be locked down tight. Nothing would run. It means
that security should be configured with full knowledge of the issues
involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making the
ASP.Net account a Network Admin has much the same effect. I agree, he's
painting with a broad brush, but the objective is to prevent spills, not
to paint with the smallest brush possible.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...

Are there any security issues having the ASPNET user account member
of Administrators ? Is it a good practice ?



Nov 19 '05 #6

P: n/a
Hello Kevin,
The principle of least privilege. Where did you find that?
http://c2.com/cgi/wiki?PrincipleOfLeastPrivilege
If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making
the ASP.Net account a Network Admin has much the same effect. I agree,
he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible.


I agree, to a point. Typically people try to cover up the root problem by
throwing more permissions at it. I wrote a post about this early last year
(http://www.mattberther.com/2004/04/000463.html).

--
Matt Berther
http://www.mattberther.com

Nov 19 '05 #7

P: n/a
Hi Matt,

First, let me point out that the article referenced was written by 2
consultants, who run their own business. IOW, it is not authoritative.

That being said, I found the article to be pretty solid. Still, the term is
their own, not anything standard.

I copied this from the page you referenced:

"But keep in mind that POLA is a principle of security design, not a hard
and fast rule that must be adhered to at all times, no matter what the cost.
If you don't understand what that means then see ThreeLevelsOfAudience,
because POLA is for a level 2 audience."

IOW, to quote another brilliant programming philosopher:

"...he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible."

--
;-),

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,
The principle of least privilege. Where did you find that?


http://c2.com/cgi/wiki?PrincipleOfLeastPrivilege
If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making
the ASP.Net account a Network Admin has much the same effect. I agree,
he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible.


I agree, to a point. Typically people try to cover up the root problem by
throwing more permissions at it. I wrote a post about this early last year
(http://www.mattberther.com/2004/04/000463.html).

--
Matt Berther
http://www.mattberther.com

Nov 19 '05 #8

P: n/a
Hello Jeff,

I would tend to agree with Kevin, but will also stand by my point of fixing
this problem by moving the logic of creating the EventLog to an installer
(as you are thinking). The root cause of this problem can be solved without
granting elevated privileges to the ASPNET account.

--
Matt Berther
http://www.mattberther.com
Here's the short story: I'm a consultant, and in my current contract
I've seen a server having ASPNET an Administrator. I felt it was risky
but not knowing exactly why. Investigation led me learn that the
reason for this is that some exception handling mechanism has to write
to the Event Log, and the first time it does, it has to write a key in
the registry, thus it has to have admin rights (well in fact I think
the key should be created using a Installation program or by hand, not
the first time the app crashes). So in our developement environment
here we did not bother removing the ASPNET account from
Administrators. But in the final production environment I just wanted
to know what security issues could be involved in being set up this
way. So basically my question was : "In saying that having the ASPNET
account member of Administrators might be risky, can someone define
the word 'risky' in this context ? What evil can happen ?"

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:Ox**************@TK2MSFTNGP15.phx.gbl...
So much for the principle of least privilege...

The principle of least privilege. Where did you find that?

I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company
owns their own servers and doesn't host. We run ASP.Net under the
System account. Now, if you have a problem with that, you might want
to rethink whether almost all of your local machine appplications
should run under the System account (they do).

Microsoft ships all of their software locked down to prevent support
calls and complaints from security issues. In other words, if you
open it, you're responsible for it. That doesn't mean that on every
computer every security setting should be locked down tight. Nothing
would run. It means that security should be configured with full
knowledge of the issues involved.

If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available.
Making the ASP.Net account a Network Admin has much the same effect.
I agree, he's painting with a broad brush, but the objective is to
prevent spills, not to paint with the smallest brush possible.

-- HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Matt Berther" <mb******@hotmail.com> wrote in message
news:79***********************@news.microsoft.com. ..
Hello Kevin,

So much for the principle of least privilege...

Jeff: What problems are you encountering that you feel that this is
necessary?

--
Matt Berther
http://www.mattberther.com
If you own the server, and you're not running anyone else's ASP.Net
apps with it, sure, it won't hurt.

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
"Jeff Robichaud" <jf*********@gmail.com> wrote in message
news:Ok**************@TK2MSFTNGP12.phx.gbl...
> Are there any security issues having the ASPNET user account
> member of Administrators ? Is it a good practice ?
>


Nov 19 '05 #9

P: n/a
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> confessed in news:
#Z**************@tk2msftngp13.phx.gbl:
Hi Matt,

First, let me point out that the article referenced was written by 2
consultants, who run their own business. IOW, it is not authoritative.

That being said, I found the article to be pretty solid. Still, the term is
their own, not anything standard.

I copied this from the page you referenced:

"But keep in mind that POLA is a principle of security design, not a hard
and fast rule that must be adhered to at all times, no matter what the cost. If you don't understand what that means then see ThreeLevelsOfAudience,
because POLA is for a level 2 audience."

IOW, to quote another brilliant programming philosopher:

"...he's painting with a broad brush, but the objective is to prevent
spills, not to paint with the smallest brush possible."


Just to butt in...

Microsoft has been preaching the principle of least privilege for at least 3
years (that was the last time I visited Redmond and attended some of their
..NET classes), and probably for longer than that.

-- ipgrunt
Nov 19 '05 #10

P: n/a
> Microsoft has been preaching the principle of least privilege for at least 3
years (that was the last time I visited Redmond and attended some of their
.NET classes), and probably for longer than that.


Absolutely! And many other companies have been preaching it also, many
of them were talking about it over a decade ago. I heard about it from
Sun in the early 90's.

By the way, if you use a broad brush you're more likely to get paint
where it doesn't belong.

Eric
Nov 19 '05 #11

P: n/a
Eric <Er**@nospam.com> confessed in news:uZDgIANCFHA.3416
@TK2MSFTNGP09.phx.gbl:
Microsoft has been preaching the principle of least privilege for at least 3 years (that was the last time I visited Redmond and attended some of their
.NET classes), and probably for longer than that.


Absolutely! And many other companies have been preaching it also, many
of them were talking about it over a decade ago. I heard about it from
Sun in the early 90's.

By the way, if you use a broad brush you're more likely to get paint
where it doesn't belong.

Eric


Good point, Eric. Thanks for your input.

-- ipgrunt

Nov 19 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.