|
 |
aspx thread: iis lock down, session variables from asp2/3
Message #1 by "Khurram Aziz" <khurram@n...> on Tue, 14 May 2002 20:16:47 +0500
|
|
I am about to implement the ASP.NET into my running project....and have few
questions...
My web server (win 2000 server) has IIS lock down tool...After installing
.net there is ASPNET user their.
Should we add ASPNET into Web Application group that IIS lock down tool
made?
It seems that if ASPNET user has no access to my web folder, asp.net doesn't
work.
What about virtual hosting scenario? Where IUSR_ (web anonymous group of iis
lock down) fits in? We have users (web anonymous group member) and each web
is running under their own users and each user has only access to their web
folder. Giving ASPNET user access to all home folders, will definitely be a
security risk. Comments?
I am administring a portion of complete web site, a sub web...and my team
lead is not yet ready to port the whole site to asp.net...my sub web gets
parameter, like logged-in user and other parameters (used for inter sub web
authentication) over session variables, and exposing the variables over
query string is not feasible. Whats the best practice to import partly or
completly session variables of asp 2/3 to asp.net?
Query string is not feasible....
How about COM which gives ASP's session variables and using inter-op in
asp.net?
Regards
Message #2 by Feduke Cntr Charles R <FedukeCR@m...> on Tue, 14 May 2002 10:35:14 -0400
|
|
Khurram,
Althought I can't really help you, I can comment. Yes, giving the
ASP.NET user rights to user's home folders will be a security risk,
especially when exploits for ASP.NET start to hit the internet. As far as
exchanging Session data between ASP and ASP.NET, you are right: query
strings would be a horrible and unacceptible way to do this. I would
strongly recommend you use .NET's interop services and write a COM class to
expose the session collection (in fact I think it could even be done in VB
6.0 using one of those IIS libraries!). I hope someone has already done
this and released the source code, or someone on the list has knowledge of
an existing solution - I can't imagine MS hasn't already addressed this
shortcoming so maybe you'd find some help on msdn.microsoft.com.
- Chuck
-----Original Message-----
From: Khurram Aziz [mailto:khurram@n...]
Sent: Tuesday, May 14, 2002 11:17 AM
To: ASP+
Subject: [aspx] iis lock down, session variables from asp2/3
I am about to implement the ASP.NET into my running project....and have few
questions...
My web server (win 2000 server) has IIS lock down tool...After installing
.net there is ASPNET user their.
Should we add ASPNET into Web Application group that IIS lock down tool
made?
It seems that if ASPNET user has no access to my web folder, asp.net doesn't
work.
What about virtual hosting scenario? Where IUSR_ (web anonymous group of iis
lock down) fits in? We have users (web anonymous group member) and each web
is running under their own users and each user has only access to their web
folder. Giving ASPNET user access to all home folders, will definitely be a
security risk. Comments?
I am administring a portion of complete web site, a sub web...and my team
lead is not yet ready to port the whole site to asp.net...my sub web gets
parameter, like logged-in user and other parameters (used for inter sub web
authentication) over session variables, and exposing the variables over
query string is not feasible. Whats the best practice to import partly or
completly session variables of asp 2/3 to asp.net?
Query string is not feasible....
How about COM which gives ASP's session variables and using inter-op in
asp.net?
Regards
Message #3 by "Khurram Aziz" <khurram@n...> on Wed, 15 May 2002 22:50:03 +0500
|
|
Here is what i have got....
By default you have in your machine.config, <identity impersonate="false"
userName="" password=""/> which in short mean, that ASPNET user will be used
for ASPNET worker process. You can set impersonate to true, resulting all
ASPNET worker processes on the machine under the account IIS's web user
(whoever is logged on, or whatever you have set as anonymous user)
Now you need to give couple of access to your user, that include
Read/write to ASP NET temp files folder in your .net install root
Read/write to operating system's TEMP folder
Read/execute access to .net install root
Regards
> ----- Original Message -----
> From: "Feduke Cntr Charles R" <FedukeCR@m...>
> To: "ASP+" <aspx@p...>
> Sent: Tuesday, May 14, 2002 7:35 PM
> Subject: [aspx] RE: iis lock down, session variables from asp2/3
>
>
> > Khurram,
> >
> > Althought I can't really help you, I can comment. Yes, giving the
> > ASP.NET user rights to user's home folders will be a security risk,
> > especially when exploits for ASP.NET start to hit the internet. As far
as
> > exchanging Session data between ASP and ASP.NET, you are right: query
> > strings would be a horrible and unacceptible way to do this. I would
> > strongly recommend you use .NET's interop services and write a COM class
> to
> > expose the session collection (in fact I think it could even be done in
VB
> > 6.0 using one of those IIS libraries!). I hope someone has already done
> > this and released the source code, or someone on the list has knowledge
of
> > an existing solution - I can't imagine MS hasn't already addressed this
> > shortcoming so maybe you'd find some help on msdn.microsoft.com.
> >
> > - Chuck
> >
> > -----Original Message-----
> > From: Khurram Aziz [mailto:khurram@n...]
> > Sent: Tuesday, May 14, 2002 11:17 AM
> > To: ASP+
> > Subject: [aspx] iis lock down, session variables from asp2/3
> >
> >
> > I am about to implement the ASP.NET into my running project....and have
> few
> > questions...
> >
> > My web server (win 2000 server) has IIS lock down tool...After
installing
> > .net there is ASPNET user their.
> >
> > Should we add ASPNET into Web Application group that IIS lock down tool
> > made?
> >
> > It seems that if ASPNET user has no access to my web folder, asp.net
> doesn't
> > work.
> > What about virtual hosting scenario? Where IUSR_ (web anonymous group of
> iis
> > lock down) fits in? We have users (web anonymous group member) and each
> web
> > is running under their own users and each user has only access to their
> web
> > folder. Giving ASPNET user access to all home folders, will definitely
be
> a
> > security risk. Comments?
> >
> > I am administring a portion of complete web site, a sub web...and my
team
> > lead is not yet ready to port the whole site to asp.net...my sub web
gets
> > parameter, like logged-in user and other parameters (used for inter sub
> web
> > authentication) over session variables, and exposing the variables over
> > query string is not feasible. Whats the best practice to import partly
or
> > completly session variables of asp 2/3 to asp.net?
> > Query string is not feasible....
> > How about COM which gives ASP's session variables and using inter-op in
> > asp.net?
> >
> > Regards
> >
> >
> >
> >
> >
>
|
|
|
View Cart
