473,785 Members | 2,669 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

NTFS rights not honored

Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="tr ue" />
<authenticati on mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?

--
Pål Andreassen
cn************* @gevznarg.ab
(ROT13 to reply)
Nov 22 '05 #1
3 2073
"P$BiM(B Andreassen" <se*@signature. for.email> wrote in message
news:Xn******** *************** ***********@207 .46.248.16...
Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="tr ue" />
<authenticati on mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?
As I recall, NTFS makes no effort to hide files you have no access to from
you, it simply will not let you access them. You need go no further than
your own C(or whatever drive has windows anyway) drive to find that. In
c:\documents and settings\ you can see other users folders, and you can see
the c:\system volume information folder(assuming you have hidden files
showing).
It is an annoyance but a feature thats still missing in ntfs5 and win2k\xp.
There is a level of hope that it will be added in Longhorn. I assume that is
what you mean, or can they open files as well?

However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and do file
security checks. I am surei ts possible but I don't know how. I will do some
research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security problem at
hand, in which case I would recommend posting to the security newsgroups for
help. --
P$BiM(B Andreassen
cn************* @gevznarg.ab
(ROT13 to reply)

Nov 22 '05 #2
"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> wrote in
news:uR******** ******@TK2MSFTN GP12.phx.gbl:
However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.


Yes, not only are files visible, but also readable to everyone. I've
checked with System.Security that the currect user is logged in. I assume
it would return ASPNET if the request process was running in that user
context.

--
Paal Andreassen
cn************* @gevznarg.ab
(ROT13 to reply)
Nov 22 '05 #3
Hrmm, then there is some strange situations here. Someone more versed in
secuirty is probably a more valuable asset. All I can say is are you sure
you have your folder permissions applied correctly?

"P$BiM(B Andreassen" <se*@signature. for.email> wrote in message
news:Xn******** *************** ***********@207 .46.248.16...
"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> wrote in
news:uR******** ******@TK2MSFTN GP12.phx.gbl:
However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.


Yes, not only are files visible, but also readable to everyone. I've
checked with System.Security that the currect user is logged in. I assume
it would return ASPNET if the request process was running in that user
context.

--
Paal Andreassen
cn************* @gevznarg.ab
(ROT13 to reply)

Nov 22 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
8034
PHP & NTFS Permissions
by: BingoHandJob | last post by:
Hello group! I'm having a problem and I hope some of you may be able to point me in the right direction. I inherited a web site using php, running on Windows 2000 & IIS. The site was developed by a consulting firm about a year before I came on board, the consultant has since gone out of business. Overall, I've never had a problem with the site and have been able to figure out nearly everything they configured on it.
PHP
1
3034
Changing NTFS Directory Security in .NET
by: Duncan Allen | last post by:
Hi, Using VB.NET I need to access a shared drive on a server using a specific account, check for a subdirectory, add it if it doesn't exist and then change the access security for the subdirectory to only allow specific accounts to access it - these will be different to the account used by the app. Thanks for your help.
.NET Framework
2
1805
Using NTFS security to protect files served via asp/iis
by: travelling_nerd | last post by:
Folks: I have some zip files I'd like to serve to authenticated users on my site, but would like to prevent unauthorized users from using an absolute path to get to these zip files. For example http://blah.com/file.zip should not be accessible directly without authenticating. However, my current authenticaion goes to an LDAP server and I'd rather not prompt users for another username and password.
ASP / Active Server Pages
3
1456
NTFS permissions
by: Kim Lots | last post by:
Hi folks Let say I have one virtual directory (IIS 5.x) pointing to a folder on my G: drive what would be the minimum NTFS permissions (w2k pro) for users & groups on this folder considering I'm running ASP 3.0 with an Access DB? Tia
ASP / Active Server Pages
3
453
NTFS rights not honored
by: Pål Andreassen | last post by:
Running Windows 2003 Server Framework 1.1 A site is configured to use integrated security (in IIS 6) Windows autentication and user impersonation in web.config <identity impersonate="true" /> <authentication mode="Windows" /> I've got a ASPX page that lists folders and files from a predefined location on the server. These folders and files have access rights set to
.NET Framework
2
3231
Can 98SE read files from NTFS Drives?
by: Jim Richards | last post by:
I have been told by a local PC club technician that 98SE cannot read NTFS drives in a network. Is this true? TIA, Jim.
Microsoft SQL Server
0
1111
Change NTFS Permissions
by: Shawn H. Mesiatowsky | last post by:
Is there any way of changing NTFS permissions (given that the user logged on has the rights) in C#? Thanks for your help Shawn H. Mesiatowsky
C# / C Sharp
1
2899
Replacing NTFS permissions on all child objects
by: Roshan | last post by:
Hi, In NTFS all folders/container objects have an option called 'Replace permission entries on all child objects with entries shown here that apply to child objects' As I understand this option replaces all explicitly configured and inherited ACEs on all child objects of the folder with the ACEs of that folder.
.NET Framework
4
14749
Setting NTFS permissions using 2.0 framework
by: DavidMGorman | last post by:
Apologies if this has been asked & answered (pls post a link if this is so) but I am tired of finding a close but not quite close enough solution. I am looking for a sample or explanation of how to use asp.net 2.0 to set NTFS folder/file permissions. Most of the solutions I have seen invoke a process that taps into WMI or some WSH script. I would like to avoid that if possible. If I can be even more restrictive I would like avoid a COM...
C# / C Sharp
6
3094
margin for <tr> and <td> are not honored
by: Summercool | last post by:
I just found that for a table, the margin for <trand <tdare not honored, but the padding is... is this a widely known fact? why make this an exception for margin, i wonder. margin not honored: http://www.0011.com/test_table/index-margin.html padding honored: http://www.0011.com/test_table
HTML / CSS
0
9480
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10324
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
10090
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
9949
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
7499
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6739
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5380
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5511
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4050
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us