Hi there,

I'm going to be using (anonymous) impersonation on my web site so everything
will run under IUSR. I'm a little confused about what end-users will be able
to do versus my app itself however. For instance, if I create a read-only
folder, my app (running under IUSR) can read it without issue. However, I
don't want end-users to be able to see it. Therefore, even if directory
browsing is turned off, is there any way for end-users to be able to read
what's in the folder since IUSR still has read permissions (or worse yet,
write to the folder if write permissions is also on). Thanks in advance.

On Mar 4, 6:39*am, "LP" <no_spam@_nospam.com> wrote:
> Hi there,
>
> I'm going to be using (anonymous) impersonation on my web site so everything
> will run under IUSR. I'm a little confused about what end-users will be able
> to do versus my app itself however. For instance, if I create a read-only
> folder, my app (running under IUSR) can read it without issue. However, I
> don't want end-users to be able to see it. Therefore, even if directory
> browsing is turned off, is there any way for end-users to be able to read
> what's in the folder since IUSR still has read permissions (or worse yet,
> write to the folder if write permissions is also on). Thanks in advance.


Since your app will be accessible to the end user and under their
control, anything your app can access can potentially be accessed by
the end-user. It doesn't matter how you authentication or impersonate.

Your only defense is to not write a security vulnerability in your
application code to allow your security nightmare to happen.

For example, you can turn directory browsing off, but if your
application allows users to access CreateFile-like behavior, depending
on its implementation, may be vulnerable to be used as directory
browsing. Same thing with write permissions.

Since Web servers are designed to serve resources under its websites
after passing Authentication, if you want to prevent the end-user from
using the Web Server itself (not just your application) to read files
you want to hide, then do NOT put those files in directories that are
part of any website.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

> Since your app will be accessible to the end user and under their
> control, anything your app can access can potentially be accessed by
> the end-user. It doesn't matter how you authentication or impersonate.

> Your only defense is to not write a security vulnerability in your
> application code to allow your security nightmare to happen.

> For example, you can turn directory browsing off, but if your
> application allows users to access CreateFile-like behavior, depending
> on its implementation, may be vulnerable to be used as directory
> browsing. Same thing with write permissions.

> Since Web servers are designed to serve resources under its websites
> after passing Authentication, if you want to prevent the end-user from
> using the Web Server itself (not just your application) to read files
> you want to hide, then do NOT put those files in directories that are
> part of any website.

Thanks for the info but I still need clarification. I don't completely
understand how to secure my site from anonymous users if read-only means
that not only can my app read the data (while running under IUSR), but so
can anonymous users on the Internet. The "App_Data" folder is a good
example. Can someone simply read this from their browser for instance (just
by guessing a file's name) or even write to it somehow. If so then to
protect against it, my first instinct would be to deny access to IUSR but
then my app would have to explicitly impersonate some other valid user in
order to access the folder. On a 3rd-party web-hosting site you would likely
have to use your personal account for that which means securing my password
on the server and then going through the trouble of impersonating. Moreover,
if I understand things correctly, the ASPNET account itself ("Network
Service" on Win2003 Server) still requires read/write to this folder (for
various housekeeping tasks) regardless of who my app is impersontating (IUSR
or otherwise). This all seems very complicated and therefore unlikely, i.e.,
I assume most web sites don't lock down "App_Data" this way meaning that
anonymous users can read its contents, is this not correct? If so then it's
a security problem so can you elaborate on this situation? Thanks.

asp_net "locks" down app_data, so no browser requests for a file in the dir
is allowed. it will be safe unless your code has a security bug that allows
reading/writing from this folder,

-- bruce (sqlwork.com)


"LP" wrote:

> > Since your app will be accessible to the end user and under their
> > control, anything your app can access can potentially be accessed by
> > the end-user. It doesn't matter how you authentication or impersonate.
>
> > Your only defense is to not write a security vulnerability in your
> > application code to allow your security nightmare to happen.
>
> > For example, you can turn directory browsing off, but if your
> > application allows users to access CreateFile-like behavior, depending
> > on its implementation, may be vulnerable to be used as directory
> > browsing. Same thing with write permissions.
>
> > Since Web servers are designed to serve resources under its websites
> > after passing Authentication, if you want to prevent the end-user from
> > using the Web Server itself (not just your application) to read files
> > you want to hide, then do NOT put those files in directories that are
> > part of any website.
>
> Thanks for the info but I still need clarification. I don't completely
> understand how to secure my site from anonymous users if read-only means
> that not only can my app read the data (while running under IUSR), but so
> can anonymous users on the Internet. The "App_Data" folder is a good
> example. Can someone simply read this from their browser for instance (just
> by guessing a file's name) or even write to it somehow. If so then to
> protect against it, my first instinct would be to deny access to IUSR but
> then my app would have to explicitly impersonate some other valid user in
> order to access the folder. On a 3rd-party web-hosting site you would likely
> have to use your personal account for that which means securing my password
> on the server and then going through the trouble of impersonating. Moreover,
> if I understand things correctly, the ASPNET account itself ("Network
> Service" on Win2003 Server) still requires read/write to this folder (for
> various housekeeping tasks) regardless of who my app is impersontating (IUSR
> or otherwise). This all seems very complicated and therefore unlikely, i.e.,
> I assume most web sites don't lock down "App_Data" this way meaning that
> anonymous users can read its contents, is this not correct? If so then it's
> a security problem so can you elaborate on this situation? Thanks.
>
>
>

> asp_net "locks" down app_data, so no browser requests for a file in the
> dir
> is allowed. it will be safe unless your code has a security bug that
> allows
> reading/writing from this folder,

Thanks for setting me straight on that. What about other standard folders
like "bin" however. For non-standard folders, I assume I would have to
explicitly deny access to IUSR and impersonate another account to access it
(in my own code which is also running as IUSR).