<PS*******@mail.nuwrote in message
news:11*********************@l70g2000hse.googlegro ups.com...
Hi newsgroup.
I ask, can a buggy ASP.net app grant root access to the server? Or are
there built-in mechanisms that prevent this?
That depends entirely on what security context you are running ASP.NET
application in.
By default, on Windows Server 2003, ASP.NET runs as Network Service, which
is a relatively low privilege account. If you change this to something else
(e.g. "LocalSystem") then obviously ASP.NET is now effectively running as
"root", and if an attacker can manipulate your application, they may be able
to get full privileges over your system.
Let's say, I have a bug in my application, that under certain
situations provokes a never ending loop, the application crashes, and
the asp.net process will get recycled.. could this provoke an attack?
Well, it would cause, potentially, a denial of service attack (since a never
ending loop generally causes 100% CPU). But you can mitigate this by
configuring IIS to allow a web application pool only a certain % of CPU.
Short question: Is ASP.net shielded enough from IIS, so that any
failures in .net applications, don't affect the security of IIS?
This is a question that can not be answered without more information. There
is no such thing as the perfectly secure application - only applications
that are more secue than others. It all depends on your configuration, and
what the application is doing.
Cheers
Ken
