Contact   •   Products   •   Search

Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs

Configuration File Settings and ASP.Net Security


 

 

Somebody brought up a good point about my Configuration Settings class today that I failed to mention in the article: Security requirements for an ASP.Net application to be able to actually make changes to the .Config file.

If you are running in the default security environment the ASP.Net app runs under the ASPNET or NETWORK SERVICE account and these accounts usually don't have rights to write to web.config or any other part of application.

I personally run my ASP.Net apps under a specific user and assign this user to a Windows 2003 Application Pool which I then use for the application. Usually I configure this user to have read/write access in the application directory because I have a number of tasks that read and write to the file system in various places of my framework. I don't feel this is a huge security risk because in order to do anything with these 'loose' permission soembody has to first be able to compromise either my app (via some script or injection) or by hacking into the machine itself. If that's the case my Web directory is probably the last thing I need to worry about.

So, by default ASPNET and Network Service aren't allowed and if you're not comfortable with the environment I run (and many aren't ) you can limit your exposure by just allowing read/write access to web.config for these accounts. This file already has read access (although it can't be accessed over the Web due to ASP.Net's internal forbidden handlers) which if anything is the bigger vulnerability.

Using Impersonation in a separate web.config
As I was thinking about this I found another solution that should work without changing security if you have a separate directory to run all Admin requests through. Updating web.config should not be something you do frequently, so this requirement to run from a separate directory should be workable - all my apps use an Administration path for all admin tasks for example and I can place a separate web.config there that uses Impersonation to run under the account the user logged in under.

In this admin directory which should sit below your app root you can add a secondary web.config file that overrides the security settings of the primary web.config file. Set it to use Windows Auth and Impersonation like this:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web> 
    <identity impersonate="true" />
    <!-- WS: Allow only Authenticated users -->
    <authorization>
        <deny users="?" />
    </authorization>
 </system.web>
</configuration>

 

This is basically telling ASP. Net to impersonate the logged on user and to deny anonymous access which will force a login when any page in the directory with this web.config (or below) is accessed. Now when you hit any pages in the admin directory the remote user is impersonated and if this remote user has the appropriate rights on the server the application has rights to write web.config. This means an anonymous user has no access, but I as an Admin user have the rights to actually write to the .config files.

I just tried this and it works great even though several sources I checked state that you can't set authentication in a sub directory below the approot. It works though.

Make Donation


Feedback for this Post

 
# re: Configuration File Settings and ASP.Net Security
by Peter April 01, 2004 @ 4:18am
I found some Windows API calls for Windows impersonation, These may be difficult to port to ASP.NET, but might provide a novel way of overcoming the impersonation issue,

Pete.
# re: Configuration File Settings and ASP.Net Security
by Rick Strahl April 14, 2004 @ 1:55am
Peter why would you need to do that? ASP.Net lets you use Impersonation pretty easily if you choose. The above approach works really well for administrative paths in general as it doesn't require any ACLs to be set on the directory (unless you have sensitive files stored there like logs etc.).
# re: Configuration File Settings and ASP.Net Security
by S.Ahamed Shah November 10, 2004 @ 11:58am
Hello Sir,
I am facing a problem like, when i am running my program in my local server i am able to access all the pages.But when i am placing it in the server and accessing it it gives me an error

"Please make < customErrors > tag in "Web.config" configuration file which exists in the root directory of a present Web application to make details of this error message can displayed with a remote computer. Afterwards, please set "Mode" attribute to "Off" with this < customErrors > tag."

Can you please help me out in this

# re: Configuration File Settings and ASP.Net Security
by jaba November 29, 2004 @ 1:03am
Hi,
I am facing a serious problem running Asp.net Application. Actually , on our production we've Windows Server 2003
Enterprise Edition running IIS 6.0 and .NET Framework 1.1.
Every request of every .aspx file results in
a "Server Application Unavailable" message in the browser. No errors
are recorded in the Event viewer.

Any suggestions is appreciated

thanks
jaba
# Server Application Unavailable
by Sumesh January 27, 2005 @ 6:50pm
I use .net 1.1.

When i query more tables from database using asp i end up with the following error.

Server application unavailable

For smaller queries i dont find any error

Can anyone solve this problem

I changed the processmodel attribute to "SYSTEM"(one of the suggested answers).I also increased the memory limit to 90. but i still end up with the same error

can anyone help me out.
# re: Configuration File Settings and ASP.Net Security
by Stan Mezyk March 02, 2005 @ 8:21am
How it will be working when I use in my web.config the following:
<appSettings file="myProd.config">
</appSettings>
If myProd.config will overwrite my above myProd.config ?
Thanks,
Stan
# re: Configuration File Settings and ASP.Net Security
by Rick Strahl March 02, 2005 @ 11:51am
That config file will have the same security as the main config file so the secruity still applies.
# re: Configuration File Settings and ASP.Net Security
by Aamir March 14, 2005 @ 6:11am
Dear sirs;
I haev small problem infect i have some html files witch stores in fodler with name articals . so i want just reg user can view html files but its not accessable from direct link spouse eye4tech.us/volume/artical/getit.html
i user windows authentication method but using this method i can just restrict aspx file but not html files . so plz whats the way
Thanks
# re: Keyword not supported: 'provider'.
by tanujareddy April 08, 2005 @ 1:00am
hello ,
when i am trying to connect to sql server using ado.net i am getting the error keyword not supported :'provider' plse help me.

i have written the code as

con=new SqlConnection("Provider=SQLOLEDB.1;User ID=sa;Initial Catalog=admin;Data Source=(local)")

# Failed to impersonate the Anonymous User for ASP Application /LM/W3SVC/2/Root.
by Nazeeb. April 18, 2005 @ 10:31pm
Hi

When i am accessing site . i am getting the above error. we are using iis 6. In IIS the hirarchy of my accessing site is child and it is using ananymous. where as the parent is using integrated . and all the above is using both anaymous and integrated. Can u suggest on this.
# re: Configuration File Settings and ASP.Net Security
by Rick Strahl April 18, 2005 @ 10:47pm
Nazeeb, most likely somebody has messed with the account that is used for anonymous access on your site. Either the rights or password has changed or the account was removed. The easiest thing is to go into IIS check the account, remove it and add it back in to re-aling the SID if necessary and also make sure that the account used is active.
# Understanding ASP.NET Impersonation Security
by Rick Strahl's WebLog May 18, 2005 @ 1:10am
Understanding how ASP.NET's internal security works is important if your application needs to access resources on the local machine. Specifically it's important to know exactly which account your ASP.NET application is running under. This entry reviews different ways of how this account is affected by different versions of Windows, and ASP.NET configuration.
# Configuration ASP.Net Application on Different Machine
by UB May 20, 2005 @ 10:03pm
Hi

I developed ASP.NET application on which the systems contains WinXP pro & VS2003 with the backend as MySQL. This application was working fine on the same system. But when I moved this application to the local server, which also having IIS5.1 & virtual directory too, i could not able to run this. The Error was "the page cannot be found". Can anyone help me out. And is it necessary to have VS2003 to run the ASP.NET application?

Thxs
# Browser Compatibility for asp.net validators
by Parag June 06, 2005 @ 3:59am
I have developed an asp.net applicaion which is running well.
But the validation controls are not supported by Netscape( which are supported well by the ie browser)
I've also tried vaarious asp.net <browsercaps> codes. But could not succeed .
Can anybody provide me latest <browsercaps> code or some other solution regarding this?
Thanks in advance
Parag
# Need Help
by Niraj Mehta February 12, 2006 @ 10:43pm
I am using Windows 2003 Server Standard edition, i just prepared this
machine to use for one ASP.net application. i am using IIS 6.
ASP.net application runs fine but it become unavailable in every hour with a
big red color message "Server Application Unavailable".

i am also using simple ASP pages but
they are running fine but ASP.net application give this error. Please Help

niraj@anantsoftech.com
# re: Configuration File Settings and ASP.Net Security
by Adeel Anjum July 19, 2006 @ 2:20am
i have developed an application on IIS 5.1 with asp.net. There is a report which takes nearly 8 to 10 minutes to run. on IIS it displays report in the specified time. when i hosted this application on IIS 6. After exactly 2 minutes ( I have counted the time maself :) ). It always give me error Time out expired. I had so many things i.e. increased connection timeout on IIS 6 and have changed time settings in machine.config and also specified server.scripttimeout etc. but nothing seems to work. then some where i read that this is default behaviour of IIS 6.
Can somebody guide me.

my email address is adeelanjum2001@hotmail.com

thanks in advance
# re: Configuration File Settings and ASP.Net Security
by Rick Strahl July 19, 2006 @ 3:06am
You need to look into the httpRuntime executionTimeout setting most likely. That and IIS Request Timeout will determine how long the server allows a request to run before it's considered hung and failed.
# Process related question
by Jinu George August 02, 2006 @ 4:14pm
Hi,

In a web applicabtion if I try to start a process, it runs under the ASPNet user. I have tried the different solutions without any resolution. No matter which solution I use the process is started under the same user name.

My requirement is to run the process under another user name other than ASPNet user. Can you suggest a method.

Thanks,
Jinu
# re: Configuration File Settings and ASP.Net Security
by Rick Strahl August 02, 2006 @ 4:38pm
You need to change the setting in machine.config(global web.config for 2.0) under XP and Windows 2000. In IIS 6 and later the user is determined by the IIS Application Pool.
# re: Configuration File Settings and ASP.Net Security
by Muhammad Omais August 08, 2006 @ 3:57am
Hello Sir,
I am facing a problem like, when i am running my program in my local server it gives me an error

"Please make < customErrors > tag in "Web.config" configuration file which exists in the root directory of a present Web application to make details of this error message can displayed with a remote computer. Afterwards, please set "Mode" attribute to "Off" with this < customErrors > tag."

Can you please help me out in this

email: m.omais@gmail.com
# Creating Virtuals and reading Installed Sites on IIS with .Net - Rick Strahl's Web Log
by Rick Strahl's Web Log September 27, 2006 @ 2:51pm
# Updated Configuration Class Article and Code - Rick Strahl's Web Log
by Rick Strahl's Web Log September 28, 2006 @ 8:51am
I've updated the Building a better .Net Application Configuration Settings Class article and code. There have been a number of additions to the class including support for writing to external .Config files and writing to custom sections.
# re: Configuration File Settings and ASP.Net Security
by Michael October 02, 2006 @ 6:33pm
This one had me really stumped because I wasn't able to give the user account the web application runs under permissions to the web.config file and if I used impersonation then the site wouldn't load because the impersonated user didn't have access to the temporary directory.

However, adding impersonation to a web.config file under a subdirectory worked perfectly. Thank you so much I never would have thought of doing that.
# Creating Virtuals and reading Installed Sites on IIS with .Net - Rick Strahl
by Rick Strahl October 05, 2006 @ 3:22pm
# re: Configuration File Settings and ASP.Net Security
by yusuf nar'in programlama sitesi October 12, 2006 @ 3:12am
i encounter the same problem and i wonder the solution...
# Putting up a Web Store SandBox with ASP.NET 2.0 - Rick Strahl's Web Log
by Rick Strahl's Web Log October 15, 2006 @ 6:36am
Last night I put together another ASP.NET 2.0 Web Store site to put out as a SandBox for people to play around with. I'm getting the process down, but this was a little different install in that it's suposed to open everything up including the backend yet without blowing security. This post discusses a few of the thoughts that went into this and also touches on some ASP.NET 2.0 deployment issues once again.
# configurationclass at Programmers Heaven
by Programmers Heaven latest news January 24, 2007 @ 7:41am
Free programming files, links, articles, tutorials, source codes, utilities, ASP, .NET, C/C++, .NET, C#, ASP.NET, XML, Visual Basic, Delphi, Java, Pascal, Assembler and other tools for programmers.
# Printer
by Programmers Heaven latest news April 26, 2007 @ 1:37pm
Free programming files, links, articles, tutorials, source codes, utilities, ASP, .NET, C/C++, .NET, C#, ASP.NET, XML, Visual Basic, Delphi, Java, Pascal, Assembler and other tools for programmers.
# re: Configuration File Settings and ASP.Net Security
by Srinivas February 06, 2008 @ 1:54am
I need you people help regarding my issue. In my web Application, I write the code for Export to Excel feature. Application was enable for Windows Authentication. When a user logged into the system and try to Export to Excel, Required Excel file was created and saving in TEMP folder which I asked the application to save it. But When I am trying to open that file from that folder, there was a Access prob for logged in User with Permissions.

Can anyone help me in this pleaseeeeee? Its very urgent

Thanks in Advance
Srinivas
# sell my house fast
by sell my house fast June 05, 2008 @ 4:18pm
but still - this is how long after
# re: Configuration File Settings and ASP.Net Security
by Durdenet July 18, 2008 @ 2:39am
Nobody said that this DOES NOT apply if you are using Form authentication throughout your application. Am I correct?
In that case the only workable way is programmatic impersonation.
Right?
# wan acceleration
by wan acceleration December 02, 2008 @ 1:29am
I\'ve found that in our network WAN accelerators have made a big difference
# re: Configuration File Settings and ASP.Net Security
by John Dieter March 02, 2010 @ 12:19pm
I have a service. I have a winform app that configures the service. Now that wonderful win7 and 2008 are here, I can no longer write to the services .config file using system.io
How do I get my settings, from my winform app into the services config file!
I have to put a shared file somewhere.
 


West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2014