NTFS rights not honored

Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="true" />
<authentication mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?
As I recall, NTFS makes no effort to hide files you have no access to from
you, it simply will not let you access them. You need go no further than
your own C(or whatever drive has windows anyway) drive to find that. In
c:\documents and settings\ you can see other users folders, and you can see
the c:\system volume information folder(assuming you have hidden files
showing).
It is an annoyance but a feature thats still missing in ntfs5 and win2k\xp.
There is a level of hope that it will be added in Longhorn. I assume that is
what you mean, or can they open files as well?

However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and do file
security checks. I am surei ts possible but I don't know how. I will do some
research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security problem at
hand, in which case I would recommend posting to the security newsgroups for
help. --
P$BiM(B Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)

However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.

"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> wrote in
news:uR**************@TK2MSFTNGP12.phx.gbl:

However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.

Yes, not only are files visible, but also readable to everyone. I've
checked with System.Security that the currect user is logged in. I assume
it would return ASPNET if the request process was running in that user
context.

--
Paal Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)