ASPNET user writing to a subfolder

  • Thread starter Thread starter Jiho Han
  • Start date Start date
J

Jiho Han

Should ASPNET user belong to the local Users group?
I may have made some changes that affected my workstation setup and I am
experiencing some unexpected behaviors.

For example, I have my IIS set up with anonymous login and have ASP.NET
running.
My ASP.NET application then creates a log file and writes to it during its
course. The only thing is that it should not be able to.

My questions are below. Please correct any incorrect assumptions I make as
well:

1. When IIS is in anonymous mode, ASP.NET app runs as ASPNET(or NETWORK
SERVICE) user.
Would <identity impersonate="true"> make the app run as IUSER_MACHINENAME
user?

2. When IIS in in windows authentication mode, ASP.NET app still runs as
APNET(or NETWORK SERVICE) user unless you specify <identity
impersonate="true"> in which case, the app will run as the user
authenticated by IIS.

Also, this may seem like a stupid question but does <identity
impersonate="true"> have effect on only the resources that are requested by
the application, - i.e. file system access, directory service, etc. - or
does it change the user who's making the request in the first?

Within the app, if I queried for the current user executing the app, would I
see IUSER_MACHINENAME in #1 and the authenticated user in #2? If I
specified a user in #2 (by supplying user/pass), would I see the specified
user from the app or does it only affect the access to the resources?

I hope the questions are not too confusing and thanks for your help.
Jiho
 
Another set of questions...

ASP.NET runs as ASPNET on pre-windows 2003 and NETWORK SERVICE user on
windows 2003 by default.

I found out that ASP.NET user on my workstation(XP) belongs to the local
Users group. Should this be? I looked at another installation which is
pretty much untouched after the ASP.NET(or framework SDK) installation and I
found the same to be true. This seems like a bad idea to me.

Then I can't find NETWORK SERVICE user anywhere in the Active Directory
Users and Computers tool on windows 2003 box. But I know that it's there
since I have a working ASP.NET app. I am not very familiar with AD and I
guess I am looking for a specific location where I can see the user listed
similar to how ASPNET user is listed in windows 2000/xp. On a similar note,
I don't see NETWORK SERVICE user listed under the local built-in Users
group. Is it there but invisible somehow or is it not part of the group at
all? If it's the latter, then why would ASPNET user need to be in the Users
group?

Thanks for any info.
Jiho
 
The NETWORK SERVICE identity has also been confusing me.
I have not figured it all out yet but suggest at least the two Pattern
& Practice articles as a good start...

http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp



--
<%= Clinton Gallagher
A/E/C Consulting, Web Design, e-Commerce Software Development
Wauwatosa, Milwaukee County, Wisconsin USA
NET csgallagher@ REMOVETHISTEXT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/
 
Thanks Clinton, I'll take a look at them.

clintonG said:
The NETWORK SERVICE identity has also been confusing me.
I have not figured it all out yet but suggest at least the two Pattern
& Practice articles as a good start...

http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp



--
<%= Clinton Gallagher
A/E/C Consulting, Web Design, e-Commerce Software Development
Wauwatosa, Milwaukee County, Wisconsin USA
NET csgallagher@ REMOVETHISTEXT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/
Click to expand...
 
Back
Top