By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,276 Members | 1,951 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,276 IT Pros & Developers. It's quick & easy.

NTFS rights not honored

P: n/a
Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="true" />
<authentication mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?

--
Pål Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)
Nov 22 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
"P$BiM(B Andreassen" <se*@signature.for.email> wrote in message
news:Xn**********************************@207.46.2 48.16...
Running Windows 2003 Server
Framework 1.1

A site is configured to use integrated security (in IIS 6)
Windows autentication and user impersonation in web.config
<identity impersonate="true" />
<authentication mode="Windows" />

I've got a ASPX page that lists folders and files from a predefined
location on the server. These folders and files have access rights set to
them by NTFS security. The problem is that everyone can see every file
and
folder, even though NTFS does not permit them.

How can I expose a file structure for browsing through ASP.NET and
still honouring NTFS file rights?
As I recall, NTFS makes no effort to hide files you have no access to from
you, it simply will not let you access them. You need go no further than
your own C(or whatever drive has windows anyway) drive to find that. In
c:\documents and settings\ you can see other users folders, and you can see
the c:\system volume information folder(assuming you have hidden files
showing).
It is an annoyance but a feature thats still missing in ntfs5 and win2k\xp.
There is a level of hope that it will be added in Longhorn. I assume that is
what you mean, or can they open files as well?

However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and do file
security checks. I am surei ts possible but I don't know how. I will do some
research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security problem at
hand, in which case I would recommend posting to the security newsgroups for
help. --
P$BiM(B Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)

Nov 22 '05 #2

P: n/a
"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> wrote in
news:uR**************@TK2MSFTNGP12.phx.gbl:
However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.


Yes, not only are files visible, but also readable to everyone. I've
checked with System.Security that the currect user is logged in. I assume
it would return ASPNET if the request process was running in that user
context.

--
Paal Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)
Nov 22 '05 #3

P: n/a
Hrmm, then there is some strange situations here. Someone more versed in
secuirty is probably a more valuable asset. All I can say is are you sure
you have your folder permissions applied correctly?

"P$BiM(B Andreassen" <se*@signature.for.email> wrote in message
news:Xn**********************************@207.46.2 48.16...
"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> wrote in
news:uR**************@TK2MSFTNGP12.phx.gbl:
However, you could probably modify your aspx page to filter based on
permissions, you will simply need to get ahold of the user token and
do file security checks. I am surei ts possible but I don't know how.
I will do some research shortly and see what I can come up with.

If all users can open all files, then there is a deeper security
problem at hand, in which case I would recommend posting to the
security newsgroups for help.


Yes, not only are files visible, but also readable to everyone. I've
checked with System.Security that the currect user is logged in. I assume
it would return ASPNET if the request process was running in that user
context.

--
Paal Andreassen
cn*************@gevznarg.ab
(ROT13 to reply)

Nov 22 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.