Properly secure IIS 7 read/write folder - asp.net

I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.

The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.

What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.

Related

Write permission for a specific folder in web.config

My question is preaty simple. Is there any way to give current user (IIS User, in this case, ASP NET USER) permission to write to a specific folder location (folder inside our web application) using web.config? Because, it's getting boring to ask to the web hoster to gain access to a specific folder each time we want to do a file uploader on a website.
I know it's maybe preaty simple to find an answer using google, but it keeps returning me how to write INTO web.config instead of permission to write into web.config FOR a specific folder. In addition, I'm french so my english is not at the top.
No. If that was possible, you could write an application which, when deployed on a server, would allow you to write to any directory on the disk despite write access being denied by the administrator.
You can easily grant permissions for a local user (e.g. the user that the IIS worker process/app pool is running as) to a folder anywhere on your filesystem actually through rights permissions in Windows itself but this does not allow for doing this through the web.config file itself. Please give us a description of what you're trying to do specifically and there may be a better solution. The solution I mentioned above could be a bit of a security risk but it depends on the needs and situation.
So, from what I understand .NET (and web.config) don't really control write permissions.
You'll need to either expose the folder from a filesystem and/or webserver level to allow people access (though this may be somewhat of a security issue depending on your scenario). Or another possibility would be to create a simple web-page that allows uploading files to the directory.

asp.net log files permissions

Our asp.net app writes errors to a text log file in the web sites root folder. This has lead to all sorts of permission problems, different flavors of IIS and windows allow different things by default.
So what I am wondering is there a location somewhere in Windows where all types of users can write a file without any extra permissions that will also work for all IIS and flavors of windows?
I am thinking of the ApplicationData folder, but did this exist in Server 2003 ?
Thanks,
AJ
The easiest solution would be to use the App_Data subfolder of your web application for this. By default it's not viewable from the web, so Internet clients won't be able to read the logs.
Depending on your deployment method, you might have to change the permission to allow write access to this folder (to the user under which your web application is running).
Alternatively, there is a place where every user can write to: It's that user's temporary folder, which you can access through Path.GetTempPath. This, however, does not sound like a suitable location for log files.
You should always first think about wwwroot folder (%systemdrive%\inetpub\wwwroot) because it has the required permission.
The permission you need is to set a full control for IIS_IUSRS
Edit: you can simply give Everyone Full Control (not recommended at all) but this solves most of ntfs permissions issues with IIS

ASP.Net write temp file on server

I have an ASP.Net (2.0) application on an intranet that needs to impersonate the users Windows login, which it does by having
identity impersonate="true"
in the web.config file.
In a couple of places it needs to create a file in the Temp folder of the server (a text file in one instance and a Word doc in another instance) before sending the resulting file to the user, after which it is deleted from the Temp folder.
It runs into a permission problem, because the user that is being impersonated does not have permission to write to the server's hard drive.
I was hoping I could switch to the default IIS (or some other built in account) to do the file access functions.
Is that possible? If so, how? I can't create any new accounts on the server.
It is Windows Server 2003.
Thanks
Yes it is possible using the System.Security.Principal namespace, see http://support.microsoft.com/kb/306158 for an example.
Basically you switch to a context that has permissions by impersonating the appropriate user account, perform your file IO then undo the impersonation.
However the easier solution would be to grant write access to the users (or groups). Grant permissions to the domain account/group so you don't have to create local accounts on the server.
I already had problems like yours, then I changed my mind and started using memorystreams and immediately writing them to the response object (instead writing it to disk and after send to the client). This way I save on being concerned in deleting it after downloaded by user.
The simplest way is probably to give the 'Everyone' group write access to the temp folder

ASP.NET access files on another computer shared folder

I have ASP.NET project which do some file access and manipulation, the methods which I use for file access are below. Now I need to access files on another server shared folder, how to do that? I easily can change file path to shared folder path but I get "can't access" error because shares are password protected.
As I understand I need somehow to send credentials to remote server before executing methods below. How to do that?
FileStream("c:\MyProj\file.doc", FileMode.OpenOrCreate, FileAccess.Write)
Context.Response.TransmitFile("c:\MyProj\file.doc");
Regards,
Tomas
An ASP.NET application (by default) will execute in IIS6 under the "ASPNET" computer account. You therefore have a couple of options:
Configure your ASPNET application to run under a (weak) domain account with permissions to access the remote computer's share
Set the permissions on the share to enable access to "Everybody" (not recommended)
Disable Forms authentication and use Windows authentication in your ASP.NET app. Turn off impersonation in web.config and IIS should pass the credentials of the user who is currently using your web application through to the underlying share (I think).
The latter option is only useful, of course, if your users all have domain accounts on your intranet, for instance. I'll continue to look around for ways to add credentials but I'm not sure off the top of my head if that's possible.
HTH,
Richard.

ASP/ASP.NET Best way to handle write permissions?

Say you have public ASP.NET (and Classic ASP) applications on IIS with a script/page that needs to write or update html files in a specific folder that is located within the web publishing folder tree.
What is the proper way to handle this and exactly how do you do it? (i.e. set directory permissions in IIS or windows explorer)
My main concern is that I want to let the ASP/ASP.NET apps write to a folder, but I don't want regular http users to be able to put files into it directly via HTTP PUT.
You'll want to set your NTFS permissions as follows:
IUSR_<MachineName> - The anonymous user should only have READ access
Network Service (or App Pool identity) - READ and WRITE access
With these permissions, you can most likely safely remove the Everyone and Authenticated Users accounts from the ACL as well.
More info:
http://support.microsoft.com/kb/815153
Don't enable writing in IIS--that only speaks to HTTP PUT, not underlying filesystem permissions. Then do what gattaca said.

Resources